[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-release-team
Subject: Fwd: Re: KDE SC 4.11.3 tarballs
From: Torgny Nyblom <nyblom () kde ! org>
Date: 2013-11-04 14:47:14
Message-ID: 1648461.aExIfVlpLS () explosive ! nyblom ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
Hi,
We got a patch that is pushed as a security issue as response to announcing
KDE SC 4.11.3 tarballs to packagers. As it is a patch against your project and
we deem it to be non trivial we would like you to comment on the patch. If it
should be part of KDE SC or not. In the former case please update libkdcraw
for all relevant branches.
/Regards
Torgny Nyblom
Release team
---------- Forwarded Message ----------
Subject: Re: KDE SC 4.11.3 tarballs
Date: Sunday 03 November 2013, 16.52.57
From: José Manuel Santamaría Lema <panfaust@gmail.com>
To: kde-packager@kde.org
Torgny Nyblom <nyblom@kde.org>
> Hi,
>
> The tarballs for the 4.11.3 release are now available in the usual
> location.
>
> I've not compiled them so please report any issues you find.
>
> sha1 sums and revisions/hashes are attached.
>
> /Regards
> Torgny
About libdcraw I'm inclined to think it should include the attached patch
before releasing 4.11.3.
[...]
-----------------------------------------
["libkdcraw_CVE-2013-143x.diff" (libkdcraw_CVE-2013-143x.diff)]
Description: fix denial of service via crafted photo files
Origin: backport, https://github.com/LibRaw/LibRaw/commit/c4e374ea6c979a7d1d968f5082b7d0ea8cd27202
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721338
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721231
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721239
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721340
Index: libkdcraw/libraw/internal/dcraw_common.cpp
===================================================================
--- libkdcraw.orig/libraw/internal/dcraw_common.cpp 2013-10-01 20:08:24.478682563 +0200
+++ libkdcraw/libraw/internal/dcraw_common.cpp 2013-10-01 20:08:24.474682721 +0200
@@ -606,7 +606,10 @@
int CLASS ljpeg_diff (ushort *huff)
{
int len, diff;
-
+#ifdef LIBRAW_LIBRARY_BUILD
+ if(!huff)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
len = gethuff(huff);
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
return -32768;
@@ -620,6 +623,8 @@
int CLASS ljpeg_diff_new (LibRaw_bit_buffer& bits, LibRaw_byte_buffer* buf,ushort *huff)
{
int len, diff;
+ if(!huff || !buf)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
len = bits._gethuff_lj(buf,*huff,huff+1);
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
@@ -742,6 +747,10 @@
if (!ljpeg_start (&jh, 0)) return;
+#ifdef LIBRAW_LIBRARY_BUILD
+ if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
jwide = jh.wide * jh.clrs;
#ifdef LIBRAW_LIBRARY_BUILD
@@ -755,18 +764,25 @@
{
// not sliced
slicesW[slicesWcnt++] = raw_width; // safe fallback
+
+
}
-
- slices = slicesWcnt * jh.high;
- offset = (unsigned*)calloc(slices+1,sizeof(offset[0]));
- for(slice=0;slice<slices;slice++)
- {
- offset[slice] = (t_x + t_y * raw_width)| (t_s<<28);
- if((offset[slice] & 0x0fffffff) >= raw_width * raw_height)
- throw LIBRAW_EXCEPTION_IO_BADFILE;
- t_y++;
- if(t_y == jh.high)
+ slices = slicesWcnt * jh.high;
+ if(!slices)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+ offset = (unsigned*)calloc(slices+1,sizeof(offset[0]));
+
+ for(slice=0;slice<slices;slice++)
+ {
+ offset[slice] = (t_x + t_y * raw_width)| (t_s<<28);
+ if((offset[slice] & 0x0fffffff) >= raw_width * raw_height)
+ {
+ free(offset);
+ throw LIBRAW_EXCEPTION_IO_BADFILE;
+ }
+ t_y++;
+ if(t_y == jh.high)
{
t_y = 0;
t_x += slicesW[t_s++];
@@ -817,12 +833,28 @@
pixno++;
if (0 == --pixelsInSlice)
{
+ if(slice > slices)
+ {
+ free(offset);
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+ }
unsigned o = offset[slice++];
pixno = o & 0x0fffffff;
pixelsInSlice = slicesW[o>>28];
}
}
#endif
+
+ if(row>raw_height)
+#ifdef LIBRAW_LIBRARY_BUILD
+ {
+ free(offset);
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+ }
+#else
+ longjmp (failure, 3);
+#endif
+
if (raw_width == 3984 && (col -= 2) < 0)
col += (row--,raw_width);
if (row >= 0) RAW(row,col) = val;
@@ -5135,6 +5167,7 @@
data_offset = get4()+base;
ifd++; break;
}
+ if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
while (len--) {
i = ftell(ifp);
fseek (ifp, get4()+base, SEEK_SET);
@@ -5353,7 +5386,7 @@
break;
case 50715: /* BlackLevelDeltaH */
case 50716: /* BlackLevelDeltaV */
- for (num=i=0; i < len; i++)
+ for (num=i=0; i < len && i < 65536; i++)
num += getreal(type);
black += num/len + 0.5;
break;
@@ -5486,9 +5519,12 @@
if (thumb_offset) {
fseek (ifp, thumb_offset, SEEK_SET);
if (ljpeg_start (&jh, 1)) {
- thumb_misc = jh.bits;
- thumb_width = jh.wide;
- thumb_height = jh.high;
+ if((unsigned)jh.bits<17 && (unsigned)jh.wide < 0x10000 && (unsigned)jh.high < 0x10000)
+ {
+ thumb_misc = jh.bits;
+ thumb_width = jh.wide;
+ thumb_height = jh.high;
+ }
}
}
for (i=0; i < tiff_nifds; i++) {
@@ -5496,7 +5532,8 @@
max_samp = tiff_ifd[i].samples;
if (max_samp > 3) max_samp = 3;
if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
- (tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
+ unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
+ (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
tiff_ifd[i].t_width*tiff_ifd[i].t_height > raw_width*raw_height) {
raw_width = tiff_ifd[i].t_width;
raw_height = tiff_ifd[i].t_height;
@@ -5582,17 +5619,19 @@
!strstr(model2,"DEBUG RAW")))
is_raw = 0;
for (i=0; i < tiff_nifds; i++)
- if (i != raw && tiff_ifd[i].samples == max_samp &&
- tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
- thumb_width * thumb_height / SQR(thumb_misc+1)
- && tiff_ifd[i].comp != 34892) {
- thumb_width = tiff_ifd[i].t_width;
- thumb_height = tiff_ifd[i].t_height;
- thumb_offset = tiff_ifd[i].offset;
- thumb_length = tiff_ifd[i].bytes;
- thumb_misc = tiff_ifd[i].bps;
- thm = i;
- }
+ if (i != raw && tiff_ifd[i].samples == max_samp &&
+ tiff_ifd[i].bps>0 && tiff_ifd[i].bps < 33 &&
+ unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
+ tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
+ thumb_width * thumb_height / SQR(thumb_misc+1)
+ && tiff_ifd[i].comp != 34892) {
+ thumb_width = tiff_ifd[i].t_width;
+ thumb_height = tiff_ifd[i].t_height;
+ thumb_offset = tiff_ifd[i].offset;
+ thumb_length = tiff_ifd[i].bytes;
+ thumb_misc = tiff_ifd[i].bps;
+ thm = i;
+ }
if (thm >= 0) {
thumb_misc |= tiff_ifd[thm].samples << 5;
switch (tiff_ifd[thm].comp) {
Index: libkdcraw/libraw/src/libraw_datastream.cpp
===================================================================
--- libkdcraw.orig/libraw/src/libraw_datastream.cpp 2013-10-01 20:08:24.478682563 +0200
+++ libkdcraw/libraw/src/libraw_datastream.cpp 2013-10-01 20:08:24.474682721 +0200
@@ -64,7 +64,12 @@
LibRaw_byte_buffer *LibRaw_abstract_datastream::make_byte_buffer(unsigned int sz)
{
+ if(sz> 2u * 1024u * 1024u * 1024u) // 2GB is enough
+ throw LIBRAW_EXCEPTION_ALLOC;
+
LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(sz);
+ if(!ret) // failed new should throw std::exception
+ throw LIBRAW_EXCEPTION_ALLOC;
read(ret->get_buffer(),sz,1);
return ret;
}
@@ -441,7 +446,10 @@
LibRaw_byte_buffer *LibRaw_buffer_datastream::make_byte_buffer(unsigned int sz)
{
+
LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(0);
+ if(!ret) // failed new should throw std::exception
+ throw LIBRAW_EXCEPTION_ALLOC;
if(streampos + sz > streamsize)
sz = streamsize - streampos;
ret->set_buffer(buf+streampos,sz);
["signature.asc" (application/pgp-signature)]
_______________________________________________
release-team mailing list
release-team@kde.org
https://mail.kde.org/mailman/listinfo/release-team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic