Bug#1036560: unblock: libraw/0.20.2-2.1

Salvatore Bonaccorso carnil at debian.org
Mon May 22 17:23:22 BST 2023 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libraw at packages.debian.org, carnil at debian.org
Control: affects -1 + src:libraw

Hi release team,

Please unblock package libraw

[ Reason ]
Fixing two CVEs CVE-2021-32142 (would be no-dsa considered), and
CVE-2023-1729. As we do plan to release a DSA for bullseye-security it
is wise to have the fixes as well in the upper suite.

[ Impact ]
libraw in bookworm affected by CVE-2021-32142 and CVE-2023-1729 until
the bookworm point releases or security update.

[ Tests ]
None specifically, autopkgtest with smoketest passes.

[ Risks ]
Two isolated fixes whith low risk I believe.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
None

unblock libraw/0.20.2-2.1

Regards,
Salvatore
-------------- next part --------------
diff -Nru libraw-0.20.2/debian/changelog libraw-0.20.2/debian/changelog
--- libraw-0.20.2/debian/changelog	2021-09-11 16:56:07.000000000 +0200
+++ libraw-0.20.2/debian/changelog	2023-05-20 21:44:42.000000000 +0200
@@ -1,3 +1,13 @@
+libraw (0.20.2-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * check for input buffer size on datastream::gets (CVE-2021-32142)
+    (Closes: #1031790)
+  * do not set shrink flag for 3/4 component images (CVE-2023-1729)
+    (Closes: #1036281)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 20 May 2023 21:44:42 +0200
+
 libraw (0.20.2-2) unstable; urgency=medium
 
   * debian/watch: bump version 3 -> 4
diff -Nru libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch
--- libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch	2023-05-20 21:44:42.000000000 +0200
@@ -0,0 +1,43 @@
+From: Alex Tutubalin <lexa at lexa.ru>
+Date: Mon, 12 Apr 2021 13:21:52 +0300
+Subject: check for input buffer size on datastream::gets
+Origin: https://github.com/LibRaw/LibRaw/commit/bc3aaf4223fdb70d52d470dae65c5a7923ea2a49
+Bug: https://github.com/LibRaw/LibRaw/issues/400
+Bug-Debian: https://bugs.debian.org/1031790
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32142
+
+---
+ src/libraw_datastream.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libraw_datastream.cpp b/src/libraw_datastream.cpp
+index a5c1a84a3a8c..a31ae9dd84db 100644
+--- a/src/libraw_datastream.cpp
++++ b/src/libraw_datastream.cpp
+@@ -287,6 +287,7 @@ INT64 LibRaw_file_datastream::tell()
+ 
+ char *LibRaw_file_datastream::gets(char *str, int sz)
+ {
++  if(sz<1) return NULL;
+   LR_STREAM_CHK();
+   std::istream is(f.get());
+   is.getline(str, sz);
+@@ -421,6 +422,7 @@ INT64 LibRaw_buffer_datastream::tell()
+ 
+ char *LibRaw_buffer_datastream::gets(char *s, int sz)
+ {
++  if(sz<1) return NULL;
+   unsigned char *psrc, *pdest, *str;
+   str = (unsigned char *)s;
+   psrc = buf + streampos;
+@@ -618,6 +620,7 @@ INT64 LibRaw_bigfile_datastream::tell()
+ 
+ char *LibRaw_bigfile_datastream::gets(char *str, int sz)
+ {
++  if(sz<1) return NULL;
+   LR_BF_CHK();
+   return fgets(str, sz, f);
+ }
+-- 
+2.40.1
+
diff -Nru libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch
--- libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch	2023-05-20 21:44:42.000000000 +0200
@@ -0,0 +1,28 @@
+From: Alex Tutubalin <lexa at lexa.ru>
+Date: Sat, 14 Jan 2023 18:32:59 +0300
+Subject: do not set shrink flag for 3/4 component images
+Origin: https://github.com/LibRaw/LibRaw/commit/477e0719ffc07190c89b4f3d12d51b1292e75828
+Bug: https://github.com/LibRaw/LibRaw/issues/557
+Bug-Debian: https://bugs.debian.org/1036281
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-1729
+
+---
+ src/preprocessing/raw2image.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/preprocessing/raw2image.cpp b/src/preprocessing/raw2image.cpp
+index e65e2ad73b4a..702cf290213c 100644
+--- a/src/preprocessing/raw2image.cpp
++++ b/src/preprocessing/raw2image.cpp
+@@ -43,6 +43,8 @@ void LibRaw::raw2image_start()
+ 
+   // adjust for half mode!
+   IO.shrink =
++	  !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image &&
++	  !imgdata.rawdata.float4_image && !imgdata.rawdata.float3_image &&
+       P1.filters &&
+       (O.half_size || ((O.threshold || O.aber[0] != 1 || O.aber[2] != 1)));
+ 
+-- 
+2.40.1
+
diff -Nru libraw-0.20.2/debian/patches/series libraw-0.20.2/debian/patches/series
--- libraw-0.20.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/series	2023-05-20 21:44:42.000000000 +0200
@@ -0,0 +1,2 @@
+check-for-input-buffer-size-on-datastream-gets.patch
+do-not-set-shrink-flag-for-3-4-component-images.patch

More information about the Pkg-phototools-devel mailing list