Bug#788241: jessie-pu: package rawtherapee/4.2-1

[Philip Rinn]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

rawtherapee is affected by the security issue CVE-2015-3885[1]. It's marked no-
das that's why I want to coordinate the update with you.

I attached the debdiff.

Best,
Philip


[1]https://security-tracker.debian.org/tracker/CVE-2015-3885

diff -Nru rawtherapee-4.2/debian/changelog rawtherapee-4.2/debian/changelog
--- rawtherapee-4.2/debian/changelog	2014-10-26 14:00:08.000000000 +0100
+++ rawtherapee-4.2/debian/changelog	2015-05-16 19:09:19.000000000 +0200
@@ -1,3 +1,10 @@
+rawtherapee (4.2-1+deb8u1) jessie-security; urgency=high
+
+  * Add patch debian/patches/02-fix_CVE-2015-3885.patch:
+    - Fix dcraw imput sanitization errors (CVE-2015-3885)
+
+ -- Philip Rinn <ri...@inventati.org>  Thu, 16 May 2015 19:09:23 +0200
+
 rawtherapee (4.2-1) unstable; urgency=medium
 
   * New upstream release:
diff -Nru rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch
--- rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch	1970-01-01 01:00:00.000000000 +0100
+++ rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch	2015-05-14 17:41:45.000000000 +0200
@@ -0,0 +1,28 @@
+Author: Philip Rinn <ri...@inventati.org>
+Description: Fix CVE-2015-3885
+Source: https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
+Last-update: 2015-05-14
+--- a/rtengine/dcraw.c
++++ b/rtengine/dcraw.c
+@@ -824,7 +824,8 @@
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+ 
+--- a/rtengine/dcraw.cc
++++ b/rtengine/dcraw.cc
+@@ -787,7 +787,8 @@
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+ 
diff -Nru rawtherapee-4.2/debian/patches/series rawtherapee-4.2/debian/patches/series
--- rawtherapee-4.2/debian/patches/series	2014-10-26 13:55:22.000000000 +0100
+++ rawtherapee-4.2/debian/patches/series	2015-05-14 17:30:07.000000000 +0200
@@ -1 +1,2 @@
 01-fix_build_race-condition.patch
+02-fix_CVE-2015-3885.patch