nphilipp pushed to ufraw (f22). "avoid writing past array boundaries when reading... (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu May 21 11:58:25 UTC 2015
From f0e47cebce4a8b7f9c0a4f63575298dff5eccea1 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils at redhat.com>
Date: Thu, 21 May 2015 13:55:59 +0200
Subject: avoid writing past array boundaries when reading...
certain raw formats (CVE-2015-3885)
diff --git a/ufraw-0.21-CVE-2015-3885.patch b/ufraw-0.21-CVE-2015-3885.patch
new file mode 100644
index 0000000..c17c66c
--- /dev/null
+++ b/ufraw-0.21-CVE-2015-3885.patch
@@ -0,0 +1,52 @@
+From 6b4ff65c6fc1a88eaa7bfc1ee5a25413d171b5f7 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils at redhat.com>
+Date: Thu, 21 May 2015 13:47:29 +0200
+Subject: [PATCH] patch: CVE-2015-3885
+
+Squashed commit of the following:
+
+commit 8f2a2348638f74e059069d98a6329fcc656ae4b5
+Author: Nils Philippsen <nils at redhat.com>
+Date: Tue May 19 11:36:57 2015 +0200
+
+ CVE-2015-3885: avoid overflowing array
+
+ When reading raw image files containing lossless JPEG data, headers
+ could be manipulated to make the signed int variable 'len' negative
+ which specifies how much actual data follows. Interpreted as unsigned,
+ this could lead to reading file data past the 64k boundary of the array
+ used for storing it. To avoid that, make 'len' unsigned short, and bail
+ out early if its value would become invalid (i.e. <= 0).
+---
+ dcraw.cc | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/dcraw.cc b/dcraw.cc
+index 75ea121..d9f96ff 100644
+--- a/dcraw.cc
++++ b/dcraw.cc
+@@ -934,7 +934,8 @@ struct jhead {
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000];
+ const uchar *dp;
+
+@@ -945,8 +946,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ do {
+ fread (data, 2, 2, ifp);
+ tag = data[0] << 8 | data[1];
+- len = (data[2] << 8 | data[3]) - 2;
+- if (tag <= 0xff00) return 0;
++ len = (data[2] << 8 | data[3]);
++ if (tag <= 0xff00 || len <= 2) return 0;
++ len -= 2;
+ fread (data, 1, len, ifp);
+ switch (tag) {
+ case 0xffc3:
+--
+2.4.1
+
diff --git a/ufraw.spec b/ufraw.spec
index db129c2..a7f3e3b 100644
--- a/ufraw.spec
+++ b/ufraw.spec
@@ -35,6 +35,7 @@ Group: Applications/Multimedia
License: GPLv2+
URL: http://ufraw.sourceforge.net
Source0: http://downloads.sourceforge.net/ufraw/ufraw-%{version}.tar.gz
+Patch0: ufraw-0.21-CVE-2015-3885.patch
BuildRequires: gimp-devel >= 2.2
BuildRequires: gimp >= 2.2
%if %{with cinepaint}
@@ -127,6 +128,7 @@ pkg_mime_xml: %{with pkg_mime_xml}
EOF
%setup -q
+%patch0 -p1 -b .CVE-2015-3885
%build
%configure --enable-mime --enable-extras --enable-contrast --disable-silent-rules
@@ -212,6 +214,10 @@ update-mime-database %{?fedora:-n} %{_datadir}/mime &> /dev/null || :
%endif
%changelog
+* Thu May 21 2015 Nils Philippsen <nils at redhat.com> - 0.21-1
+- avoid writing past array boundaries when reading certain raw formats
+ (CVE-2015-3885)
+
* Wed May 20 2015 Nils Philippsen <nils at redhat.com> - 0.21-1
- version 0.21
- don't manually specify, clean buildroot
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/ufraw.git/commit/?h=f22&id=f0e47cebce4a8b7f9c0a4f63575298dff5eccea1
More information about the scm-commits
mailing list