Processed: Re: Bug#839927: jessie-pu: package rawtherapee/4.2-1+deb8u1

2016-10-12 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #839927 [release.debian.org] jessie-pu: package rawtherapee/4.2-1+deb8u1
Added tag(s) pending.

-- 
839927: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839927
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#839927: jessie-pu: package rawtherapee/4.2-1+deb8u1

2016-10-12 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sat, 2016-10-08 at 21:11 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2016-10-07 at 00:26 +0200, Philip Rinn wrote:
> > Sorry, I didn't attach the debdiff, it was only a 'git diff ...' Now I 
> > attached
> > the real debdiff.
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#839927: jessie-pu: package rawtherapee/4.2-1+deb8u1

2016-10-08 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #839927 [release.debian.org] jessie-pu: package rawtherapee/4.2-1+deb8u1
Added tag(s) confirmed.

-- 
839927: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839927
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#839927: jessie-pu: package rawtherapee/4.2-1+deb8u1

2016-10-08 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Fri, 2016-10-07 at 00:26 +0200, Philip Rinn wrote:
> Sorry, I didn't attach the debdiff, it was only a 'git diff ...' Now I 
> attached
> the real debdiff.

Please go ahead.

Regards,

Adam

Bug#839927: jessie-pu: package rawtherapee/4.2-1+deb8u1

2016-10-06 Thread Philip Rinn 
Sorry, I didn't attach the debdiff, it was only a 'git diff ...' Now I attached
the real debdiff.

Best,
Philip

diff -Nru rawtherapee-4.2/debian/changelog rawtherapee-4.2/debian/changelog
--- rawtherapee-4.2/debian/changelog2015-06-09 20:45:39.0 +0200
+++ rawtherapee-4.2/debian/changelog2016-10-06 12:36:00.0 +0200
@@ -1,3 +1,10 @@
+rawtherapee (4.2-1+deb8u2) jessie; urgency=high
+
+  * Add patch debian/patches/03-fix-overflow-in-dcraw.patch:
+- Fix buffer overflow in dcraw (CVE-2015-8366)
+
+ -- Philip Rinn   Thu, 06 Oct 2016 12:36:00 +0200
+
 rawtherapee (4.2-1+deb8u1) jessie; urgency=high
 
   * Add patch debian/patches/02-fix_CVE-2015-3885.patch:
diff -Nru rawtherapee-4.2/debian/patches/03-fix-overflow-in-dcraw.patch 
rawtherapee-4.2/debian/patches/03-fix-overflow-in-dcraw.patch
--- rawtherapee-4.2/debian/patches/03-fix-overflow-in-dcraw.patch   
1970-01-01 01:00:00.0 +0100
+++ rawtherapee-4.2/debian/patches/03-fix-overflow-in-dcraw.patch   
2016-10-06 12:35:26.0 +0200
@@ -0,0 +1,18 @@
+Author: Hubert Chathi 
+Description: Fix buffer overflow in dcraw (CVE-2015-8366)
+Origin: 
https://vcs.uhoreg.ca/git/cgit/debpkg-ufraw/commit/?id=54688b5896b39003becdfee3c803c58c94f14df3
+Last-update: 2016-10-06
+--- a/rtengine/dcraw.cc
 b/rtengine/dcraw.cc
+@@ -3221,7 +3221,10 @@
+   diff = diff ? -diff : 0x80;
+ if (ftell(ifp) + 12 >= seg[1][1])
+   diff = 0;
+-raw_image[pix] = pred[pix & 1] += diff;
++if(pix>=raw_width*raw_height)
++  derror();
++else
++  raw_image[pix] = pred[pix & 1] += diff;
+ if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
+   }
+   maximum = 0xff;
diff -Nru rawtherapee-4.2/debian/patches/series 
rawtherapee-4.2/debian/patches/series
--- rawtherapee-4.2/debian/patches/series   2015-05-14 17:30:07.0 
+0200
+++ rawtherapee-4.2/debian/patches/series   2016-10-06 12:35:47.0 
+0200
@@ -1,2 +1,3 @@
 01-fix_build_race-condition.patch
 02-fix_CVE-2015-3885.patch
+03-fix-overflow-in-dcraw.patch


signature.asc
Description: OpenPGP digital signature

Bug#839927: jessie-pu: package rawtherapee/4.2-1+deb8u1

2016-10-06 Thread Philip Rinn 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

rawtherapee is affected by the security issue CVE-2015-8366[1]. It's marked no-
dsa that's why I want to coordinate the update with you.

I attached the debdiff.

Best,
Philip


[1] https://security-tracker.debian.org/tracker/CVE-2015-8366
diff --git a/debian/changelog b/debian/changelog
index bbfd8e2..288c1b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+rawtherapee (4.2-1+deb8u2) jessie; urgency=high
+
+  * Add patch debian/patches/03-fix-overflow-in-dcraw.patch:
+- Fix buffer overflow in dcraw (CVE-2015-8366)
+
+ -- Philip Rinn   Thu, 06 Oct 2016 12:36:00 +0200
+
 rawtherapee (4.2-1+deb8u1) jessie; urgency=high
 
   * Add patch debian/patches/02-fix_CVE-2015-3885.patch:
diff --git a/debian/patches/03-fix-overflow-in-dcraw.patch b/debian/patches/03-fix-overflow-in-dcraw.patch
new file mode 100644
index 000..6f9a282
--- /dev/null
+++ b/debian/patches/03-fix-overflow-in-dcraw.patch
@@ -0,0 +1,18 @@
+Author: Hubert Chathi 
+Description: Fix buffer overflow in dcraw (CVE-2015-8366)
+Origin: https://vcs.uhoreg.ca/git/cgit/debpkg-ufraw/commit/?id=54688b5896b39003becdfee3c803c58c94f14df3
+Last-update: 2016-10-06
+--- a/rtengine/dcraw.cc
 b/rtengine/dcraw.cc
+@@ -3221,7 +3221,10 @@
+   diff = diff ? -diff : 0x80;
+ if (ftell(ifp) + 12 >= seg[1][1])
+   diff = 0;
+-raw_image[pix] = pred[pix & 1] += diff;
++if(pix>=raw_width*raw_height)
++  derror();
++else
++  raw_image[pix] = pred[pix & 1] += diff;
+ if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
+   }
+   maximum = 0xff;
diff --git a/debian/patches/series b/debian/patches/series
index abb467d..4aa855a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 01-fix_build_race-condition.patch
 02-fix_CVE-2015-3885.patch
+03-fix-overflow-in-dcraw.patch