[ufraw] harden against corrupt input files (CVE-2013-1438)
Nils Philippsen
nphilipp at fedoraproject.org
Fri Dec 6 18:30:52 UTC 2013
commit 9ed39442cc424612b6fce736db90fe0557079b2a
Author: Nils Philippsen <nils at redhat.com>
Date: Fri Dec 6 19:30:24 2013 +0100
harden against corrupt input files (CVE-2013-1438)
ufraw-0.19.2-CVE-2013-1438.patch | 123 ++++++++++++++++++++++++++++++++++++++
ufraw.spec | 9 +++-
2 files changed, 131 insertions(+), 1 deletions(-)
---
diff --git a/ufraw-0.19.2-CVE-2013-1438.patch b/ufraw-0.19.2-CVE-2013-1438.patch
new file mode 100644
index 0000000..3cae581
--- /dev/null
+++ b/ufraw-0.19.2-CVE-2013-1438.patch
@@ -0,0 +1,123 @@
+From b9da481d66c493c9df9457c6267528669cde2b24 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils at redhat.com>
+Date: Fri, 6 Dec 2013 19:27:36 +0100
+Subject: [PATCH] patch: CVE-2013-1438
+
+Squashed commit of the following:
+
+commit 80a5289734a0f199ae18eefaf15e0136bc7176a5
+Author: Nils Philippsen <nils at redhat.com>
+Date: Fri Oct 11 17:51:35 2013 +0200
+
+ CVE-2013-1438: fix various security issues
+
+ This fixes division by zero, infinite loop, and null pointer dereference
+ bugs. Ported from Alex Tutubalin's fix in LibRaw (commit
+ 9ae25d8c3a6bfb40c582538193264f74c9b93bc0).
+
+ Conflicts:
+ dcraw.cc
+---
+ dcraw.cc | 37 ++++++++++++++++++++++++++-----------
+ 1 file changed, 26 insertions(+), 11 deletions(-)
+
+diff --git a/dcraw.cc b/dcraw.cc
+index 0994ffc..3400dac 100644
+--- a/dcraw.cc
++++ b/dcraw.cc
+@@ -982,6 +982,9 @@ int CLASS ljpeg_diff (ushort *huff)
+ {
+ int len, diff;
+
++ if (!huff)
++ longjmp(failure, 2);
++
+ len = gethuff(huff);
+ if (len == 16 && (!dng_version || dng_version >= 0x1010000))
+ return -32768;
+@@ -1037,6 +1040,8 @@ void CLASS lossless_jpeg_load_raw()
+ ushort *rp;
+
+ if (!ljpeg_start (&jh, 0)) return;
++ if (jh.wide < 1 || jh.high < 1 || jh.clrs < 1 || jh.bits < 1)
++ longjmp (failure, 2);
+ jwide = jh.wide * jh.clrs;
+
+ for (jrow=0; jrow < jh.high; jrow++) {
+@@ -1056,7 +1061,9 @@ void CLASS lossless_jpeg_load_raw()
+ }
+ if (raw_width == 3984 && (col -= 2) < 0)
+ col += (row--,raw_width);
+- if (row >= 0) RAW(row,col) = val;
++ if (row > raw_height)
++ longjmp (failure, 3);
++ if ((unsigned) row < raw_height) RAW(row,col) = val;
+ if (++col >= raw_width)
+ col = (row++,0);
+ }
+@@ -5337,6 +5344,7 @@ int CLASS parse_tiff_ifd (int base)
+ data_offset = get4()+base;
+ ifd++; break;
+ }
++ if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
+ while (len--) {
+ i = ftell(ifp);
+ fseek (ifp, get4()+base, SEEK_SET);
+@@ -5550,7 +5558,7 @@ guess_cfa_pc:
+ break;
+ case 50715: /* BlackLevelDeltaH */
+ case 50716: /* BlackLevelDeltaV */
+- for (num=i=0; i < (int) len; i++)
++ for (num=i=0; i < len && i < 65536; i++)
+ num += getreal(type);
+ black += num/len + 0.5;
+ break;
+@@ -5676,9 +5684,13 @@ void CLASS apply_tiff()
+ if (thumb_offset) {
+ fseek (ifp, thumb_offset, SEEK_SET);
+ if (ljpeg_start (&jh, 1)) {
+- thumb_misc = jh.bits;
+- thumb_width = jh.wide;
+- thumb_height = jh.high;
++ if ((unsigned)jh.bits < 17 && (unsigned)jh.wide < 0x10000 &&
++ (unsigned)jh.high < 0x10000)
++ {
++ thumb_misc = jh.bits;
++ thumb_width = jh.wide;
++ thumb_height = jh.high;
++ }
+ }
+ }
+ for (i=0; i < (int) tiff_nifds; i++) {
+@@ -5686,8 +5698,9 @@ void CLASS apply_tiff()
+ max_samp = tiff_ifd[i].samples;
+ if (max_samp > 3) max_samp = 3;
+ if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
+- (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
+- tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
++ (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
++ (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
++ tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
+ raw_width = tiff_ifd[i].width;
+ raw_height = tiff_ifd[i].height;
+ tiff_bps = tiff_ifd[i].bps;
+@@ -5768,10 +5781,12 @@ void CLASS apply_tiff()
+ || (tiff_bps == 8 && !strstr(make,"KODAK") && !strstr(make,"Kodak") &&
+ !strstr(model2,"DEBUG RAW")))
+ is_raw = 0;
+- for (i=0; i < (int) tiff_nifds; i++)
+- if (i != raw && tiff_ifd[i].samples == max_samp &&
+- tiff_ifd[i].width * tiff_ifd[i].height / SQR(tiff_ifd[i].bps+1) >
+- (int)(thumb_width * thumb_height / SQR(thumb_misc+1))
++ for (i=0; i < tiff_nifds; i++)
++ if ((int) i != raw && tiff_ifd[i].samples == max_samp &&
++ tiff_ifd[i].bps > 0 && tiff_ifd[i].bps < 33 &&
++ ((unsigned)(tiff_ifd[i].width | tiff_ifd[i].height)) < 0x10000 &&
++ tiff_ifd[i].width * tiff_ifd[i].height / (SQR(tiff_ifd[i].bps)+1) >
++ (int)(thumb_width * thumb_height / (SQR(thumb_misc)+1))
+ && tiff_ifd[i].comp != 34892) {
+ thumb_width = tiff_ifd[i].width;
+ thumb_height = tiff_ifd[i].height;
+--
+1.8.4.2
+
diff --git a/ufraw.spec b/ufraw.spec
index b66ae3e..fcb280c 100644
--- a/ufraw.spec
+++ b/ufraw.spec
@@ -30,7 +30,7 @@
Summary: Raw image data retrieval tool for digital cameras
Name: ufraw
Version: 0.19.2
-Release: 9%{?dist}
+Release: 10%{?dist}
Group: Applications/Multimedia
License: GPLv2+
URL: http://ufraw.sourceforge.net
@@ -44,6 +44,9 @@ Patch1: ufraw-0.19.2-gimp-file-load-magic.patch
# Use lcms 2.x.
# https://sourceforge.net/p/ufraw/bugs/356/
Patch2: ufraw-0.19.2-lcms2.patch
+# Harden against corrupt input files.
+# https://sourceforge.net/p/ufraw/bugs/361/
+Patch3: ufraw-0.19.2-CVE-2013-1438.patch
# Regenerated autofoo files
Patch10: ufraw-0.19.2-7-autofoo.patch.bz2
BuildRequires: gimp-devel >= 2.2
@@ -140,6 +143,7 @@ EOF
%patch0 -p1 -b .gimp-exif-decode
%patch1 -p1 -b .gimp-file-load-magic
%patch2 -p1 -b .lcms2
+%patch3 -p1 -b .CVE-2013-1438
%patch10 -p1 -b .autofoo
@@ -222,6 +226,9 @@ update-desktop-database >& /dev/null || :
%endif
%changelog
+* Fri Dec 06 2013 Nils Philippsen <nils at redhat.com> - 0.19.2-10
+- harden against corrupt input files (CVE-2013-1438)
+
* Tue Dec 03 2013 Rex Dieter <rdieter at fedoraproject.org> 0.19.2-9
- rebuild (exiv2)
More information about the scm-commits
mailing list