From 203d76622b113543ee679925cb99d7e3f2ccbe05 Mon Sep 17 00:00:00 2001 From: "A. Wilcox" Date: Wed, 23 Sep 2020 04:11:02 +0000 Subject: user/libraw: Questionably patch CVE-2020-15503 --- user/libraw/APKBUILD | 13 +++- user/libraw/CVE-2020-15503.patch | 131 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 141 insertions(+), 3 deletions(-) create mode 100644 user/libraw/CVE-2020-15503.patch diff --git a/user/libraw/APKBUILD b/user/libraw/APKBUILD index d280c6402..881e60074 100644 --- a/user/libraw/APKBUILD +++ b/user/libraw/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=libraw pkgver=0.19.5 -pkgrel=0 +pkgrel=1 pkgdesc="Read RAW image files from digital cameras" url="https://www.libraw.org/" arch="all" @@ -10,9 +10,15 @@ license="LGPL-2.1-only OR CDDL-1.0" depends="" makedepends="jasper-dev lcms2-dev libjpeg-turbo-dev" subpackages="$pkgname-dev $pkgname-doc" -source="https://www.libraw.org/data/LibRaw-$pkgver.tar.gz" +source="https://www.libraw.org/data/LibRaw-$pkgver.tar.gz + CVE-2020-15503.patch + " builddir="$srcdir/LibRaw-$pkgver" +# secfixes: +# 0.19.5-r1: +# - CVE-2020-15503 + build() { ./configure \ --build=$CBUILD \ @@ -32,4 +38,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="4560045f75e6d2ab0d1d8686075f3a0e26a5d7ce693b48508110a2c31d19055d58983c24852da0abb64fa90db5e20f24b87aa7537ed04d958c38c8b265a7e826 LibRaw-0.19.5.tar.gz" +sha512sums="4560045f75e6d2ab0d1d8686075f3a0e26a5d7ce693b48508110a2c31d19055d58983c24852da0abb64fa90db5e20f24b87aa7537ed04d958c38c8b265a7e826 LibRaw-0.19.5.tar.gz +49feadef114b219222c0ca143f45aaa1595b7c7a4a8f8472cd6f18449082d75b3fb4314e4beba549f8f69bc49d7790777129ff1f12ee8a110988fdf12f20caae CVE-2020-15503.patch" diff --git a/user/libraw/CVE-2020-15503.patch b/user/libraw/CVE-2020-15503.patch new file mode 100644 index 000000000..94c28b6ab --- /dev/null +++ b/user/libraw/CVE-2020-15503.patch @@ -0,0 +1,131 @@ +--- a/libraw/libraw_const.h.orig 2020-07-03 11:22:46.761804592 -0500 ++++ b/libraw/libraw_const.h 2020-07-03 11:23:02.620793431 -0500 +@@ -24,6 +24,12 @@ + #define LIBRAW_MAX_ALLOC_MB 2048L + #endif + ++/* limit thumbnail size, default is 512Mb*/ ++#ifndef LIBRAW_MAX_THUMBNAIL_MB ++#define LIBRAW_MAX_THUMBNAIL_MB 512L ++#endif ++ ++ + /* Change to non-zero to allow (broken) CRW (and other) files metadata + loop prevention */ + #ifndef LIBRAW_METADATA_LOOP_PREVENTION +--- a/src/libraw_cxx.cpp.orig 2020-07-03 11:20:21.810906602 -0500 ++++ b/src/libraw_cxx.cpp 2020-07-03 11:37:33.802869028 -0500 +@@ -3712,6 +3712,21 @@ + return NULL; + } + ++ if (T.tlength < 64u) ++ { ++ if (errcode) ++ *errcode = EINVAL; ++ return NULL; ++ } ++ ++ if (INT64(T.tlength) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) ++ { ++ if (errcode) ++ *errcode = LIBRAW_TOO_BIG; ++ return NULL; ++ } ++ ++ + if (T.tformat == LIBRAW_THUMBNAIL_BITMAP) + { + libraw_processed_image_t *ret = (libraw_processed_image_t *)::malloc(sizeof(libraw_processed_image_t) + T.tlength); +@@ -3976,6 +3991,12 @@ + if (ID.toffset + est_datasize > ID.input->size() + THUMB_READ_BEYOND) + throw LIBRAW_EXCEPTION_IO_EOF; + ++ if(INT64(T.theight) * INT64(T.twidth) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++ ++ if (INT64(T.theight) * INT64(T.twidth) < 64ULL) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++ + // some kodak cameras + ushort s_height = S.height, s_width = S.width, s_iwidth = S.iwidth, s_iheight = S.iheight; + ushort s_flags = libraw_internal_data.unpacker_data.load_flags; +@@ -4237,6 +4258,25 @@ + CHECK_ORDER_LOW(LIBRAW_PROGRESS_IDENTIFY); + CHECK_ORDER_BIT(LIBRAW_PROGRESS_THUMB_LOAD); + ++#define THUMB_SIZE_CHECKT(A) \ ++ do { \ ++ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ if (INT64(A) > 0 && INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ } while (0) ++ ++#define THUMB_SIZE_CHECKTNZ(A) \ ++ do { \ ++ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ if (INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ } while (0) ++ ++ ++#define THUMB_SIZE_CHECKWH(W,H) \ ++ do { \ ++ if (INT64(W)*INT64(H) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ if (INT64(W)*INT64(H) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ } while (0) ++ + try + { + if (!libraw_internal_data.internal_data.input) +@@ -4267,6 +4307,7 @@ + + if (INT64(ID.toffset) + tsize > ID.input->size() + THUMB_READ_BEYOND) + throw LIBRAW_EXCEPTION_IO_EOF; ++ THUMB_SIZE_CHECKT(tsize); + } + else + { +@@ -4280,6 +4321,7 @@ + ID.input->seek(ID.toffset, SEEK_SET); + if (write_thumb == &LibRaw::jpeg_thumb) + { ++ THUMB_SIZE_CHECKTNZ(T.tlength); + if (T.thumb) + free(T.thumb); + T.thumb = (char *)malloc(T.tlength); +@@ -4326,6 +4368,7 @@ + { + if (t_bytesps > 1) + throw LIBRAW_EXCEPTION_IO_CORRUPT; // 8-bit thumb, but parsed for more bits ++ THUMB_SIZE_CHECKWH(T.twidth, T.theight); + int t_length = T.twidth * T.theight * t_colors; + + if (T.tlength && T.tlength < t_length) // try to find tiff ifd with needed offset +@@ -4351,8 +4394,12 @@ + T.tcolors = 1; + } + T.tlength = total_size; ++ THUMB_SIZE_CHECKTNZ(T.tlength); + if (T.thumb) + free(T.thumb); ++ ++ THUMB_SIZE_CHECKTNZ(T.tlength); ++ + T.thumb = (char *)malloc(T.tlength); + merror(T.thumb, "ppm_thumb()"); + +@@ -4400,10 +4447,15 @@ + if (t_bytesps > 2) + throw LIBRAW_EXCEPTION_IO_CORRUPT; // 16-bit thumb, but parsed for more bits + int o_bps = (imgdata.params.raw_processing_options & LIBRAW_PROCESSING_USE_PPM16_THUMBS) ? 2 : 1; ++ THUMB_SIZE_CHECKWH(T.twidth, T.theight); + int o_length = T.twidth * T.theight * t_colors * o_bps; + int i_length = T.twidth * T.theight * t_colors * 2; + if (!T.tlength) + T.tlength = o_length; ++ THUMB_SIZE_CHECKTNZ(o_length); ++ THUMB_SIZE_CHECKTNZ(i_length); ++ THUMB_SIZE_CHECKTNZ(T.tlength); ++ + ushort *t_thumb = (ushort *)calloc(i_length, 1); + ID.input->read(t_thumb, 1, i_length); + if ((libraw_internal_data.unpacker_data.order == 0x4949) == (ntohs(0x1234) == 0x1234)) -- cgit v1.2.3-70-g09d2