summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorA. Wilcox <AWilcox@Wilcox-Tech.com>2020-09-23 04:11:02 +0000
committerA. Wilcox <AWilcox@Wilcox-Tech.com>2020-09-23 04:11:02 +0000
commit203d76622b113543ee679925cb99d7e3f2ccbe05 (patch)
tree07b1e10d10234607bd0ac16e041bb6253bf893cd
parent85258b9619881ee4ab8d52737f3a6ec4f61d983b (diff)
downloadpackages-203d76622b113543ee679925cb99d7e3f2ccbe05.tar.gz
packages-203d76622b113543ee679925cb99d7e3f2ccbe05.tar.bz2
packages-203d76622b113543ee679925cb99d7e3f2ccbe05.tar.xz
packages-203d76622b113543ee679925cb99d7e3f2ccbe05.zip
user/libraw: Questionably patch CVE-2020-15503
-rw-r--r--user/libraw/APKBUILD13
-rw-r--r--user/libraw/CVE-2020-15503.patch131
2 files changed, 141 insertions, 3 deletions
diff --git a/user/libraw/APKBUILD b/user/libraw/APKBUILD
index d280c6402..881e60074 100644
--- a/user/libraw/APKBUILD
+++ b/user/libraw/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=libraw
pkgver=0.19.5
-pkgrel=0
+pkgrel=1
pkgdesc="Read RAW image files from digital cameras"
url="https://www.libraw.org/"
arch="all"
@@ -10,9 +10,15 @@ license="LGPL-2.1-only OR CDDL-1.0"
depends=""
makedepends="jasper-dev lcms2-dev libjpeg-turbo-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="https://www.libraw.org/data/LibRaw-$pkgver.tar.gz"
+source="https://www.libraw.org/data/LibRaw-$pkgver.tar.gz
+ CVE-2020-15503.patch
+ "
builddir="$srcdir/LibRaw-$pkgver"
+# secfixes:
+# 0.19.5-r1:
+# - CVE-2020-15503
+
build() {
./configure \
--build=$CBUILD \
@@ -32,4 +38,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="4560045f75e6d2ab0d1d8686075f3a0e26a5d7ce693b48508110a2c31d19055d58983c24852da0abb64fa90db5e20f24b87aa7537ed04d958c38c8b265a7e826 LibRaw-0.19.5.tar.gz"
+sha512sums="4560045f75e6d2ab0d1d8686075f3a0e26a5d7ce693b48508110a2c31d19055d58983c24852da0abb64fa90db5e20f24b87aa7537ed04d958c38c8b265a7e826 LibRaw-0.19.5.tar.gz
+49feadef114b219222c0ca143f45aaa1595b7c7a4a8f8472cd6f18449082d75b3fb4314e4beba549f8f69bc49d7790777129ff1f12ee8a110988fdf12f20caae CVE-2020-15503.patch"
diff --git a/user/libraw/CVE-2020-15503.patch b/user/libraw/CVE-2020-15503.patch
new file mode 100644
index 000000000..94c28b6ab
--- /dev/null
+++ b/user/libraw/CVE-2020-15503.patch
@@ -0,0 +1,131 @@
+--- a/libraw/libraw_const.h.orig 2020-07-03 11:22:46.761804592 -0500
++++ b/libraw/libraw_const.h 2020-07-03 11:23:02.620793431 -0500
+@@ -24,6 +24,12 @@
+ #define LIBRAW_MAX_ALLOC_MB 2048L
+ #endif
+
++/* limit thumbnail size, default is 512Mb*/
++#ifndef LIBRAW_MAX_THUMBNAIL_MB
++#define LIBRAW_MAX_THUMBNAIL_MB 512L
++#endif
++
++
+ /* Change to non-zero to allow (broken) CRW (and other) files metadata
+ loop prevention */
+ #ifndef LIBRAW_METADATA_LOOP_PREVENTION
+--- a/src/libraw_cxx.cpp.orig 2020-07-03 11:20:21.810906602 -0500
++++ b/src/libraw_cxx.cpp 2020-07-03 11:37:33.802869028 -0500
+@@ -3712,6 +3712,21 @@
+ return NULL;
+ }
+
++ if (T.tlength < 64u)
++ {
++ if (errcode)
++ *errcode = EINVAL;
++ return NULL;
++ }
++
++ if (INT64(T.tlength) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
++ {
++ if (errcode)
++ *errcode = LIBRAW_TOO_BIG;
++ return NULL;
++ }
++
++
+ if (T.tformat == LIBRAW_THUMBNAIL_BITMAP)
+ {
+ libraw_processed_image_t *ret = (libraw_processed_image_t *)::malloc(sizeof(libraw_processed_image_t) + T.tlength);
+@@ -3976,6 +3991,12 @@
+ if (ID.toffset + est_datasize > ID.input->size() + THUMB_READ_BEYOND)
+ throw LIBRAW_EXCEPTION_IO_EOF;
+
++ if(INT64(T.theight) * INT64(T.twidth) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
++ throw LIBRAW_EXCEPTION_IO_CORRUPT;
++
++ if (INT64(T.theight) * INT64(T.twidth) < 64ULL)
++ throw LIBRAW_EXCEPTION_IO_CORRUPT;
++
+ // some kodak cameras
+ ushort s_height = S.height, s_width = S.width, s_iwidth = S.iwidth, s_iheight = S.iheight;
+ ushort s_flags = libraw_internal_data.unpacker_data.load_flags;
+@@ -4237,6 +4258,25 @@
+ CHECK_ORDER_LOW(LIBRAW_PROGRESS_IDENTIFY);
+ CHECK_ORDER_BIT(LIBRAW_PROGRESS_THUMB_LOAD);
+
++#define THUMB_SIZE_CHECKT(A) \
++ do { \
++ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ if (INT64(A) > 0 && INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ } while (0)
++
++#define THUMB_SIZE_CHECKTNZ(A) \
++ do { \
++ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ if (INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ } while (0)
++
++
++#define THUMB_SIZE_CHECKWH(W,H) \
++ do { \
++ if (INT64(W)*INT64(H) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ if (INT64(W)*INT64(H) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ } while (0)
++
+ try
+ {
+ if (!libraw_internal_data.internal_data.input)
+@@ -4267,6 +4307,7 @@
+
+ if (INT64(ID.toffset) + tsize > ID.input->size() + THUMB_READ_BEYOND)
+ throw LIBRAW_EXCEPTION_IO_EOF;
++ THUMB_SIZE_CHECKT(tsize);
+ }
+ else
+ {
+@@ -4280,6 +4321,7 @@
+ ID.input->seek(ID.toffset, SEEK_SET);
+ if (write_thumb == &LibRaw::jpeg_thumb)
+ {
++ THUMB_SIZE_CHECKTNZ(T.tlength);
+ if (T.thumb)
+ free(T.thumb);
+ T.thumb = (char *)malloc(T.tlength);
+@@ -4326,6 +4368,7 @@
+ {
+ if (t_bytesps > 1)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT; // 8-bit thumb, but parsed for more bits
++ THUMB_SIZE_CHECKWH(T.twidth, T.theight);
+ int t_length = T.twidth * T.theight * t_colors;
+
+ if (T.tlength && T.tlength < t_length) // try to find tiff ifd with needed offset
+@@ -4351,8 +4394,12 @@
+ T.tcolors = 1;
+ }
+ T.tlength = total_size;
++ THUMB_SIZE_CHECKTNZ(T.tlength);
+ if (T.thumb)
+ free(T.thumb);
++
++ THUMB_SIZE_CHECKTNZ(T.tlength);
++
+ T.thumb = (char *)malloc(T.tlength);
+ merror(T.thumb, "ppm_thumb()");
+
+@@ -4400,10 +4447,15 @@
+ if (t_bytesps > 2)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT; // 16-bit thumb, but parsed for more bits
+ int o_bps = (imgdata.params.raw_processing_options & LIBRAW_PROCESSING_USE_PPM16_THUMBS) ? 2 : 1;
++ THUMB_SIZE_CHECKWH(T.twidth, T.theight);
+ int o_length = T.twidth * T.theight * t_colors * o_bps;
+ int i_length = T.twidth * T.theight * t_colors * 2;
+ if (!T.tlength)
+ T.tlength = o_length;
++ THUMB_SIZE_CHECKTNZ(o_length);
++ THUMB_SIZE_CHECKTNZ(i_length);
++ THUMB_SIZE_CHECKTNZ(T.tlength);
++
+ ushort *t_thumb = (ushort *)calloc(i_length, 1);
+ ID.input->read(t_thumb, 1, i_length);
+ if ((libraw_internal_data.unpacker_data.order == 0x4949) == (ntohs(0x1234) == 0x1234))