From dc12f0c1d37c1f9ceb5ed74b8692a3ff4b288e69 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 02 2021 16:12:39 +0000 Subject: import LibRaw-0.19.5-3.el8 --- diff --git a/SOURCES/LibRaw-CVE-2020-24870.patch b/SOURCES/LibRaw-CVE-2020-24870.patch new file mode 100644 index 0000000..10df71a --- /dev/null +++ b/SOURCES/LibRaw-CVE-2020-24870.patch @@ -0,0 +1,42 @@ +From 4d463048b9f27a3dc86b7010c198b32d995cd941 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Tue, 27 Apr 2021 17:44:09 +0200 +Subject: [PATCH] Limit loops to MIN(colors,4) + +This is a backport of commit 4feaed4dea636cee for CVE-2020-24870. + +https://github.com/LibRaw/LibRaw/issues/330 +--- + internal/dcraw_common.cpp | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp +index a36553208194..3e8c009eb08e 100644 +--- a/internal/dcraw_common.cpp ++++ b/internal/dcraw_common.cpp +@@ -19598,17 +19598,18 @@ dng_skip: + + if(calidx[colidx] == sidx) + { +- for (int i = 0; i < colors; i++) ++ for (int i = 0; i < colors && i < 4; i++) + FORCC + cc[i][c] = tiff_ifd[sidx].dng_color[colidx].calibration[i][c]; + } + + if(abidx == sidx) +- for (int i = 0; i < colors; i++) ++ for (int i = 0; i < colors && i < 4; i++) + FORCC cc[i][c] *= tiff_ifd[sidx].dng_levels.analogbalance[i]; + int j; +- FORCC for (int i = 0; i < 3; i++) for (cam_xyz[c][i] = j = 0; j < colors; j++) cam_xyz[c][i] += +- cc[c][j] * cm[j][i];// add AsShotXY later * xyz[i]; ++ FORCC for (int i = 0; i < 3; i++) ++ for (cam_xyz[c][i] = j = 0; j < colors && j < 4; j++) ++ cam_xyz[c][i] += cc[c][j] * cm[j][i];// add AsShotXY later * xyz[i]; + cam_xyz_coeff(cmatrix, cam_xyz); + } + } +-- +2.30.2 + diff --git a/SPECS/LibRaw.spec b/SPECS/LibRaw.spec index b290e85..c31a25b 100644 --- a/SPECS/LibRaw.spec +++ b/SPECS/LibRaw.spec @@ -1,7 +1,7 @@ Summary: Library for reading RAW files obtained from digital photo cameras Name: LibRaw Version: 0.19.5 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD and (CDDL or LGPLv2) URL: http://www.libraw.org @@ -14,6 +14,7 @@ BuildRequires: autoconf automake libtool Source0: http://www.libraw.org/data/%{name}-%{version}.tar.gz Patch0: LibRaw-0.6.0-pkgconfig.patch Patch1: LibRaw-CVE-2020-15503.patch +Patch2: LibRaw-CVE-2020-24870.patch Provides: bundled(dcraw) = 9.25 %description @@ -54,6 +55,7 @@ LibRaw sample programs %patch0 -p0 -b .pkgconfig %patch1 -p1 -b .cve-2020-15503 +%patch2 -p1 -b .cve-2020-24870 %build autoreconf -if @@ -117,6 +119,10 @@ rm -fv %{buildroot}%{_libdir}/lib*.la %changelog +* Tue Apr 27 2021 Debarshi Ray - 0.19.5-3 +- Backport fix for CVE-2020-24870 from upstream +Resolves: #1931841 + * Mon Aug 10 2020 Debarshi Ray - 0.19.5-2 - Backport fix for CVE-2020-15503 from Fedora Resolves: #1853529