Your message dated Sat, 06 Jun 2015 13:11:11 +0100
with message-id <[email protected]>
and subject line Fix released with 8.1 point release
has caused the Debian Bug report #786918,
regarding jessie-pu: package exactimage/0.8.9-7+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
786918: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786918
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
I'd like to upload the attached patch to stable-proposed-updates to fix
#786785 (CVE-2015-3885). The security team marked this one as no-dsa but asked
me to propose the fixes for a point release. Would this be ok? The change
matches exactimage 0.9.1-5 + the backported "dependency" patch to get the
ljpeg_start result validation after the ljpeg_start call. The latter change
was in unstable before 0.9.1-5 and is required to test the patch.
Just some information to the patch (taken from my mail to the security team):
The patch was not tested against any official "special crafted image" because
none was provided with the CVE. Instead a raw image was downloaded [1] and
modified to have the len at 0x13800+0x13801 set to 0. This causes an underflow
+ endless loop in the original version of dcraw. But this also showed that the
wheezy/jessie version of exactimage did ljpeg_start() + the jh.*
validation in the wrong order and thus made the jh.* validation read
"uninintialized" data from the stack. This additional problem was fixed in an
extra patch "draw_jpeg_fix.patch". The original dcraw problem could be
reproduced after that jh.* patch was applied without the CVE fix. The test was
run via:
$ econvert -i RAW_CANON_EOS_5DMARK3.CR2 -o test.png
The versions of exactimage with both patches doesn't crash or hang anymore
when testing with the modified RAW_CANON_EOS_5DMARK3.CR2.
The patch is the one from rawstudio mentioned in CVE-2015-3885.
Kind regards,
Sven
[1] http://www.rawsamples.ch/raws/canon/RAW_CANON_EOS_5DMARK3.CR2diff -Nru exactimage-0.8.9/debian/changelog exactimage-0.8.9/debian/changelog
--- exactimage-0.8.9/debian/changelog 2014-08-30 15:47:09.000000000 +0200
+++ exactimage-0.8.9/debian/changelog 2015-05-25 19:23:02.000000000 +0200
@@ -1,3 +1,14 @@
+exactimage (0.8.9-7+deb8u1) jessie; urgency=medium
+
+ * Fix CVE-2015-3885: Integer overflow in the ljpeg_start function in dcraw
+ * debian/patches:
+ - Add CVE-2015-3885.patch, Avoid overflow in ljpeg_start()
+ (Closes: #786785)
+ - Add draw_jpeg_fix.patch, Fix execution order of ljpeg_start() and
+ result check
+
+ -- Sven Eckelmann <[email protected]> Mon, 25 May 2015 17:45:27 +0200
+
exactimage (0.8.9-7) unstable; urgency=medium
* debian/rules:
diff -Nru exactimage-0.8.9/debian/patches/CVE-2015-3885.patch exactimage-0.8.9/debian/patches/CVE-2015-3885.patch
--- exactimage-0.8.9/debian/patches/CVE-2015-3885.patch 1970-01-01 01:00:00.000000000 +0100
+++ exactimage-0.8.9/debian/patches/CVE-2015-3885.patch 2015-05-25 19:23:02.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Avoid overflow in ljpeg_start().
+Author: Anders Brander <[email protected]>
+Origin: backport, https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
+
+---
+diff --git a/codecs/dcraw.h b/codecs/dcraw.h
+index b115191c2f8f049e8ad933e0f83de52568413ec2..2f24f0f73744520a87cf6dc2eeb7dea84e83a563 100644
+--- a/codecs/dcraw.h
++++ b/codecs/dcraw.h
+@@ -775,7 +775,8 @@ struct jhead {
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000];
+ const uchar *dp;
+
diff -Nru exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch
--- exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch 1970-01-01 01:00:00.000000000 +0100
+++ exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch 2015-05-25 19:23:02.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Fix execution order of ljpeg_start() and result check
+Author: René Rebe <[email protected]>
+
+---
+diff --git a/codecs/dcraw.h b/codecs/dcraw.h
+index 2f24f0f73744520a87cf6dc2eeb7dea84e83a563..5584fef46c9759776475683a17d252b723a58ee5 100644
+--- a/codecs/dcraw.h
++++ b/codecs/dcraw.h
+@@ -893,12 +893,12 @@ void CLASS lossless_jpeg_load_raw()
+ struct jhead jh;
+ ushort *rp;
+
+- if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
+- longjmp (failure, 2);
+-
+ if (!ljpeg_start (&jh, 0)) return;
+ jwide = jh.wide * jh.clrs;
+
++ if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
++ longjmp (failure, 2);
++
+ for (jrow=0; jrow < jh.high; jrow++) {
+ rp = ljpeg_row (jrow, &jh);
+ if (load_flags & 1)
diff -Nru exactimage-0.8.9/debian/patches/series exactimage-0.8.9/debian/patches/series
--- exactimage-0.8.9/debian/patches/series 2014-08-30 15:47:09.000000000 +0200
+++ exactimage-0.8.9/debian/patches/series 2015-05-25 19:23:02.000000000 +0200
@@ -13,3 +13,5 @@
libgif.patch
ftbfs_evas_object.patch
perl_vendor_dir.patch
+CVE-2015-3885.patch
+draw_jpeg_fix.patch
--- End Message ---
--- Begin Message ---
Version: 8.1
Hi,
The fix discussed in this bug was released to stable as part of the 8.1
point release earlier today.
Regards,
Adam
--- End Message ---
