nphilipp pushed to ufraw (f22). "avoid writing past array boundaries when reading... (..more)"

Thu May 21 11:58:25 UTC 2015

From f0e47cebce4a8b7f9c0a4f63575298dff5eccea1 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils at redhat.com>
Date: Thu, 21 May 2015 13:55:59 +0200
Subject: avoid writing past array boundaries when reading...

certain raw formats (CVE-2015-3885)

diff --git a/ufraw-0.21-CVE-2015-3885.patch b/ufraw-0.21-CVE-2015-3885.patch
new file mode 100644
index 0000000..c17c66c
--- /dev/null
+++ b/ufraw-0.21-CVE-2015-3885.patch
@@ -0,0 +1,52 @@
+From 6b4ff65c6fc1a88eaa7bfc1ee5a25413d171b5f7 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils at redhat.com>
+Date: Thu, 21 May 2015 13:47:29 +0200
+Subject: [PATCH] patch: CVE-2015-3885
+
+Squashed commit of the following:
+
+commit 8f2a2348638f74e059069d98a6329fcc656ae4b5
+Author: Nils Philippsen <nils at redhat.com>
+Date:   Tue May 19 11:36:57 2015 +0200
+
+    CVE-2015-3885: avoid overflowing array
+
+    When reading raw image files containing lossless JPEG data, headers
+    could be manipulated to make the signed int variable 'len' negative
+    which specifies how much actual data follows. Interpreted as unsigned,
+    this could lead to reading file data past the 64k boundary of the array
+    used for storing it. To avoid that, make 'len' unsigned short, and bail
+    out early if its value would become invalid (i.e. <= 0).
+---
+ dcraw.cc | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/dcraw.cc b/dcraw.cc
+index 75ea121..d9f96ff 100644
+--- a/dcraw.cc
++++ b/dcraw.cc
+@@ -934,7 +934,8 @@ struct jhead {
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+ 
+@@ -945,8 +946,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+   do {
+     fread (data, 2, 2, ifp);
+     tag =  data[0] << 8 | data[1];
+-    len = (data[2] << 8 | data[3]) - 2;
+-    if (tag <= 0xff00) return 0;
++    len = (data[2] << 8 | data[3]);
++    if (tag <= 0xff00 || len <= 2) return 0;
++    len -= 2;
+     fread (data, 1, len, ifp);
+     switch (tag) {
+       case 0xffc3:
+-- 
+2.4.1
+
diff --git a/ufraw.spec b/ufraw.spec
index db129c2..a7f3e3b 100644
--- a/ufraw.spec
+++ b/ufraw.spec
@@ -35,6 +35,7 @@ Group: Applications/Multimedia
 License: GPLv2+
 URL: http://ufraw.sourceforge.net
 Source0: http://downloads.sourceforge.net/ufraw/ufraw-%{version}.tar.gz
+Patch0: ufraw-0.21-CVE-2015-3885.patch
 BuildRequires: gimp-devel >= 2.2
 BuildRequires: gimp >= 2.2
 %if %{with cinepaint}
@@ -127,6 +128,7 @@ pkg_mime_xml:   %{with pkg_mime_xml}
 
 EOF
 %setup -q
+%patch0 -p1 -b .CVE-2015-3885
 
 %build
 %configure --enable-mime --enable-extras --enable-contrast --disable-silent-rules
@@ -212,6 +214,10 @@ update-mime-database %{?fedora:-n} %{_datadir}/mime &> /dev/null || :
 %endif
 
 %changelog
+* Thu May 21 2015 Nils Philippsen <nils at redhat.com> - 0.21-1
+- avoid writing past array boundaries when reading certain raw formats
+  (CVE-2015-3885)
+
 * Wed May 20 2015 Nils Philippsen <nils at redhat.com> - 0.21-1
 - version 0.21
 - don't manually specify, clean buildroot
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/ufraw.git/commit/?h=f22&id=f0e47cebce4a8b7f9c0a4f63575298dff5eccea1
