Hello community, here is the log from the commit of package libraw for openSUSE:Factory checked in at 2020-07-15 11:24:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libraw (Old) and /work/SRC/openSUSE:Factory/.libraw.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libraw" Wed Jul 15 11:24:32 2020 rev:55 rq:819256 version:0.19.5 Changes: -------- --- /work/SRC/openSUSE:Factory/libraw/libraw.changes 2020-01-02 14:40:03.228881264 +0100 +++ /work/SRC/openSUSE:Factory/.libraw.new.3060/libraw.changes 2020-07-15 11:26:28.297682790 +0200 @@ -1,0 +2,8 @@ +Tue Jul 7 14:20:04 UTC 2020 - pgaj...@suse.com + +- security update +- added patches + fix CVE-2020-15503 [bsc#1173674], lack of thumbnail size range check can lead to buffer overflow + + libraw-CVE-2020-15503.patch + +------------------------------------------------------------------- New: ---- libraw-CVE-2020-15503.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libraw.spec ++++++ --- /var/tmp/diff_new_pack.t7K3nP/_old 2020-07-15 11:26:33.629688068 +0200 +++ /var/tmp/diff_new_pack.t7K3nP/_new 2020-07-15 11:26:33.629688068 +0200 @@ -1,7 +1,7 @@ # # spec file for package libraw # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,6 +32,8 @@ #Git-Clone: git://github.com/LibRaw/LibRaw Source: https://www.libraw.org/data/%tar_name-%version.tar.gz Patch1: libraw-Add-Sony-ILCE-7M3.patch +# CVE-2020-15503 [bsc#1173674], lack of thumbnail size range check can lead to buffer overflow +Patch2: libraw-CVE-2020-15503.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes @@ -102,6 +104,7 @@ %prep %setup -q -n %{tar_name}-%{version} %patch1 -p1 +%patch2 -p1 %build %global _lto_cflags %{_lto_cflags} -ffat-lto-objects ++++++ libraw-CVE-2020-15503.patch ++++++ Index: LibRaw-0.19.5/libraw/libraw_const.h =================================================================== --- LibRaw-0.19.5.orig/libraw/libraw_const.h 2020-07-07 12:42:30.310654582 +0200 +++ LibRaw-0.19.5/libraw/libraw_const.h 2020-07-07 12:49:43.141162263 +0200 @@ -24,6 +24,11 @@ it under the terms of the one of two lic #define LIBRAW_MAX_ALLOC_MB 2048L #endif +/* limit thumbnail size, default is 512Mb*/ +#ifndef LIBRAW_MAX_THUMBNAIL_MB +#define LIBRAW_MAX_THUMBNAIL_MB 512L +#endif + /* Change to non-zero to allow (broken) CRW (and other) files metadata loop prevention */ #ifndef LIBRAW_METADATA_LOOP_PREVENTION Index: LibRaw-0.19.5/src/libraw_cxx.cpp =================================================================== --- LibRaw-0.19.5.orig/src/libraw_cxx.cpp 2019-08-20 19:34:30.000000000 +0200 +++ LibRaw-0.19.5/src/libraw_cxx.cpp 2020-07-07 13:03:23.697916270 +0200 @@ -3712,6 +3712,20 @@ libraw_processed_image_t *LibRaw::dcraw_ return NULL; } + if (T.tlength < 64u) + { + if (errcode) + *errcode = EINVAL; + return NULL; + } + + if (INT64(T.tlength) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) + { + if (errcode) + *errcode = LIBRAW_TOO_BIG; + return NULL; + } + if (T.tformat == LIBRAW_THUMBNAIL_BITMAP) { libraw_processed_image_t *ret = (libraw_processed_image_t *)::malloc(sizeof(libraw_processed_image_t) + T.tlength); @@ -3976,6 +3990,12 @@ void LibRaw::kodak_thumb_loader() if (ID.toffset + est_datasize > ID.input->size() + THUMB_READ_BEYOND) throw LIBRAW_EXCEPTION_IO_EOF; + if(INT64(T.theight) * INT64(T.twidth) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) + throw LIBRAW_EXCEPTION_IO_CORRUPT; + + if (INT64(T.theight) * INT64(T.twidth) < 64ULL) + throw LIBRAW_EXCEPTION_IO_CORRUPT; + // some kodak cameras ushort s_height = S.height, s_width = S.width, s_iwidth = S.iwidth, s_iheight = S.iheight; ushort s_flags = libraw_internal_data.unpacker_data.load_flags; @@ -4237,6 +4257,25 @@ int LibRaw::unpack_thumb(void) CHECK_ORDER_LOW(LIBRAW_PROGRESS_IDENTIFY); CHECK_ORDER_BIT(LIBRAW_PROGRESS_THUMB_LOAD); +#define THUMB_SIZE_CHECKT(A) \ + do { \ + if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ + if (INT64(A) > 0 && INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ + } while (0) + +#define THUMB_SIZE_CHECKTNZ(A) \ + do { \ + if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ + if (INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ + } while (0) + + +#define THUMB_SIZE_CHECKWH(W,H) \ + do { \ + if (INT64(W)*INT64(H) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ + if (INT64(W)*INT64(H) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ + } while (0) + try { if (!libraw_internal_data.internal_data.input) @@ -4267,6 +4306,7 @@ int LibRaw::unpack_thumb(void) if (INT64(ID.toffset) + tsize > ID.input->size() + THUMB_READ_BEYOND) throw LIBRAW_EXCEPTION_IO_EOF; + THUMB_SIZE_CHECKT(tsize); } else { @@ -4280,6 +4320,8 @@ int LibRaw::unpack_thumb(void) ID.input->seek(ID.toffset, SEEK_SET); if (write_thumb == &LibRaw::jpeg_thumb) { + THUMB_SIZE_CHECKTNZ(T.tlength); + if (T.thumb) free(T.thumb); T.thumb = (char *)malloc(T.tlength); @@ -4326,6 +4368,7 @@ int LibRaw::unpack_thumb(void) { if (t_bytesps > 1) throw LIBRAW_EXCEPTION_IO_CORRUPT; // 8-bit thumb, but parsed for more bits + THUMB_SIZE_CHECKWH(T.twidth, T.theight); int t_length = T.twidth * T.theight * t_colors; if (T.tlength && T.tlength < t_length) // try to find tiff ifd with needed offset @@ -4351,6 +4394,7 @@ int LibRaw::unpack_thumb(void) T.tcolors = 1; } T.tlength = total_size; + THUMB_SIZE_CHECKTNZ(T.tlength); if (T.thumb) free(T.thumb); T.thumb = (char *)malloc(T.tlength); @@ -4384,6 +4428,8 @@ int LibRaw::unpack_thumb(void) if (T.thumb) free(T.thumb); + THUMB_SIZE_CHECKTNZ(T.tlength); + T.thumb = (char *)malloc(T.tlength); if (!T.tcolors) T.tcolors = t_colors; @@ -4404,6 +4450,10 @@ int LibRaw::unpack_thumb(void) int i_length = T.twidth * T.theight * t_colors * 2; if (!T.tlength) T.tlength = o_length; + THUMB_SIZE_CHECKTNZ(o_length); + THUMB_SIZE_CHECKTNZ(i_length); + THUMB_SIZE_CHECKTNZ(T.tlength); + ushort *t_thumb = (ushort *)calloc(i_length, 1); ID.input->read(t_thumb, 1, i_length); if ((libraw_internal_data.unpacker_data.order == 0x4949) == (ntohs(0x1234) == 0x1234))