Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, rawtherapee is affected by the security issue CVE-2015-3885[1]. It's marked no- das that's why I want to coordinate the update with you. I attached the debdiff. Best, Philip [1]https://security-tracker.debian.org/tracker/CVE-2015-3885
diff -Nru rawtherapee-4.2/debian/changelog rawtherapee-4.2/debian/changelog --- rawtherapee-4.2/debian/changelog 2014-10-26 14:00:08.000000000 +0100 +++ rawtherapee-4.2/debian/changelog 2015-05-16 19:09:19.000000000 +0200 @@ -1,3 +1,10 @@ +rawtherapee (4.2-1+deb8u1) jessie-security; urgency=high + + * Add patch debian/patches/02-fix_CVE-2015-3885.patch: + - Fix dcraw imput sanitization errors (CVE-2015-3885) + + -- Philip Rinn <ri...@inventati.org> Thu, 16 May 2015 19:09:23 +0200 + rawtherapee (4.2-1) unstable; urgency=medium * New upstream release: diff -Nru rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch --- rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch 1970-01-01 01:00:00.000000000 +0100 +++ rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch 2015-05-14 17:41:45.000000000 +0200 @@ -0,0 +1,28 @@ +Author: Philip Rinn <ri...@inventati.org> +Description: Fix CVE-2015-3885 +Source: https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e +Last-update: 2015-05-14 +--- a/rtengine/dcraw.c ++++ b/rtengine/dcraw.c +@@ -824,7 +824,8 @@ + + int CLASS ljpeg_start (struct jhead *jh, int info_only) + { +- int c, tag, len; ++ int c, tag; ++ ushort len; + uchar data[0x10000]; + const uchar *dp; + +--- a/rtengine/dcraw.cc ++++ b/rtengine/dcraw.cc +@@ -787,7 +787,8 @@ + + int CLASS ljpeg_start (struct jhead *jh, int info_only) + { +- int c, tag, len; ++ int c, tag; ++ ushort len; + uchar data[0x10000]; + const uchar *dp; + diff -Nru rawtherapee-4.2/debian/patches/series rawtherapee-4.2/debian/patches/series --- rawtherapee-4.2/debian/patches/series 2014-10-26 13:55:22.000000000 +0100 +++ rawtherapee-4.2/debian/patches/series 2015-05-14 17:30:07.000000000 +0200 @@ -1 +1,2 @@ 01-fix_build_race-condition.patch +02-fix_CVE-2015-3885.patch