[Pkg-phototools-devel] Bug#864183: Bug#864183: CVE-2017-6886 CVE-2017-6887

David Bremner david at tethera.net
Tue Jun 6 11:20:51 UTC 2017

Moritz Muehlenhoff <jmm at debian.org> writes:

> Source: libraw
> Severity: grave
> Tags: security
> Please see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6886
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6887

I started to look at this, but gave up on (me) fixing it for the initial
stretch release.

1. Between the version in stretch and the version being patched,
upstream has run the 15k line dcraw.c through clang-format, which means
the patch referenced in the CVE would need to move about 2k lines to
apply :(.

2. As I started to try to hand apply upstream d7c3d2cb460be10, I
realized there are security related changes from some other commit

-      if (len > 2560000 || !(cbuf = (char *)malloc(len)))
+      if (len < 1 || len > 2560000 || !(cbuf = (char *)malloc(len)))

in particular the (len > 2560000) is not present in the code in stretch.

It seems to come from upstream commit 8d0935 [3 files changed, 208
insertions(+), 154 deletions(-)], which also would need hand applying,
or some other cleverness.

More information about the Pkg-phototools-devel mailing list