mattdm pushed to rawtherapee (master). "actual fix for CVE-2015-3885"

notifications at fedoraproject.org notifications at fedoraproject.org
Wed May 13 16:12:41 UTC 2015 

From 1e2bffd2a1a682087b6959ac8b9fe30af8b18bcb Mon Sep 17 00:00:00 2001
From: Matthew Miller <mattdm at mattdm.org>
Date: Wed, 13 May 2015 12:12:22 -0400
Subject: actual fix for CVE-2015-3885


diff --git a/rawtherapee.spec b/rawtherapee.spec
index cbc2b5d..57b8a67 100644
--- a/rawtherapee.spec
+++ b/rawtherapee.spec
@@ -1,6 +1,6 @@
 Name:           rawtherapee
 Version:        4.2
-Release:        7%{?dist}
+Release:        9%{?dist}
 Summary:        Raw image processing software
 
 Group:          Applications/Multimedia 
@@ -19,7 +19,9 @@ Requires:       hicolor-icon-theme fftw
 
 Obsoletes:      rawtherapee-doc < %{version}-%{release}
 
-Patch:          rawtherapee-4.2-appstreamtweak.patch
+Patch0:         rawtherapee-4.2-appstreamtweak.patch
+# https://code.google.com/p/rawtherapee/issues/detail?id=2773
+Patch1:         rawtherapee_CVE-2015-3885.patch
 
 %description
 Rawtherapee is a RAW image processing software. It gives full control over
@@ -28,7 +30,8 @@ to some common image format.
 
 %prep
 %setup -q
-%patch -p1 -b .htmlfix
+%patch0 -p1 -b .htmlfix
+%patch1 -p1 -b .cve-2015-3885
 
 # fix wrong line endings
 sed -i "s|\r||g" LICENSE.txt
@@ -100,6 +103,12 @@ fi || :
 
 
 %changelog
+* Wed May 13 2015 Matthew Miller <mattdm at fedoraproject.org> - 4.2-9
+- same thing, format patch correctly
+
+* Wed May 13 2015 Matthew Miller <mattdm at fedoraproject.org> - 4.2-8
+- Security fix for CVE-2015-3885 (dcraw input sanitization), bz #1221257
+
 * Sat May 02 2015 Kalev Lember <kalevlember at gmail.com> - 4.2-7
 - Rebuilt for GCC 5 C++11 ABI change
 
diff --git a/rawtherapee_CVE-2015-3885.patch b/rawtherapee_CVE-2015-3885.patch
new file mode 100644
index 0000000..91303f2
--- /dev/null
+++ b/rawtherapee_CVE-2015-3885.patch
@@ -0,0 +1,12 @@
+diff -r 0584e964d98a rtengine/dcraw.cc
+--- a/rtengine/dcraw.cc	Tue May 12 13:20:42 2015 +0200
++++ b/rtengine/dcraw.cc	Tue May 12 16:07:08 2015 +0200
+@@ -787,7 +787,8 @@
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/rawtherapee.git/commit/?h=master&id=1e2bffd2a1a682087b6959ac8b9fe30af8b18bcb

More information about the scm-commits mailing list