s-pu upload to fix no-dsa security issues in libraw

Guilhem Moulin guilhem at debian.org
Sun May 18 13:09:26 BST 2025


Hi Matteo,

While working on an upload for buster ELTS I noticed the version of
src:libraw currently found in bookworm is vulnerable to CVE-2025-4396[1-4]
(marked no-dsa by the security team) [0].  The issues are already fixed
in trixie and bullseye-security so it makes sense to fix them in
bookworm as well.

The upstream patches trivially apply to 0.20.2-2.1.  I attach a tested
debdiff; individual commits and tag can be found on the LTS team fork [1].

Unless you object I'll file a bookworm-pu bug with these changes.

Cheers,
-- 
Guilhem.

[0] https://security-tracker.debian.org/tracker/source-package/libraw
[1] https://salsa.debian.org/lts-team/packages/libraw/-/tree/debian/bookworm
-------------- next part --------------
diffstat for libraw-0.20.2 libraw-0.20.2

 changelog                          |   15 +++++
 patches/CVE-2025-43961_43962.patch |  107 +++++++++++++++++++++++++++++++++++++
 patches/CVE-2025-43963.patch       |   35 ++++++++++++
 patches/CVE-2025-43964.patch       |   24 ++++++++
 patches/series                     |    3 +
 salsa-ci.yml                       |    8 ++
 6 files changed, 192 insertions(+)

diff -Nru libraw-0.20.2/debian/changelog libraw-0.20.2/debian/changelog
--- libraw-0.20.2/debian/changelog	2023-05-20 21:44:42.000000000 +0200
+++ libraw-0.20.2/debian/changelog	2025-05-18 13:58:06.000000000 +0200
@@ -1,3 +1,18 @@
+libraw (0.20.2-2.1+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2025-43961: Out-of-bounds read in the Fujifilm 0xf00c tag parser.
+    (Closes: #1103781)
+  * Fix CVE-2025-43962: Out-of-bounds reads for tag 0x412 processing, related
+    to large w0 or w1 values or the frac and mult calculations.
+    (Closes: #1103781)
+  * Fix CVE-2025-43963: Out-of-buffer access because split_col and split_row
+    values are not checked in 0x041f tag processing. (Closes: #1103782)
+  * Fix CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not
+    enforce minimum w0 and w1 values. (Closes: #1103783)
+
+ -- Guilhem Moulin <guilhem at debian.org>  Sun, 18 May 2025 13:58:06 +0200
+
 libraw (0.20.2-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch
--- libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch	2025-05-18 13:58:06.000000000 +0200
@@ -0,0 +1,107 @@
+From: Alex Tutubalin <lexa at lexa.ru>
+Date: Sat, 1 Feb 2025 15:32:39 +0300
+Subject: Prevent out-of-bounds read in fuji 0xf00c tag parser
+
+Prevent out-of-bounds read in fuji 0xf00c tag parser
+
+prevent OOB reads in phase_one_correct
+
+Origin: https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43961
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43962
+Bug-Debian: https://bugs.debian.org/1103781
+---
+ src/decoders/load_mfbacks.cpp | 18 ++++++++++++++----
+ src/metadata/tiff.cpp         | 26 ++++++++++++++++----------
+ 2 files changed, 30 insertions(+), 14 deletions(-)
+
+diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
+index 9d7c051..ded154c 100644
+--- a/src/decoders/load_mfbacks.cpp
++++ b/src/decoders/load_mfbacks.cpp
+@@ -331,6 +331,9 @@ int LibRaw::phase_one_correct()
+       fseek(ifp, off_412, SEEK_SET);
+       for (i = 0; i < 9; i++)
+         head[i] = get4() & 0x7fff;
++	  unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
++	  if (w0 > 10240000 || w1 > 10240000)
++		  throw LIBRAW_EXCEPTION_ALLOC;
+       yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
+       merror(yval[0], "phase_one_correct()");
+       yval[1] = (float *)(yval[0] + head[1] * head[3]);
+@@ -356,10 +359,17 @@ int LibRaw::phase_one_correct()
+             for (k = j = 0; j < head[1]; j++)
+               if (num < xval[0][k = head[1] * i + j])
+                 break;
+-            frac = (j == 0 || j == head[1])
+-                       ? 0
+-                       : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]);
+-            mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac);
++			if (j == 0 || j == head[1] || k < 1 || k >= w0+w1)
++				frac = 0;
++			else
++			{
++				int xdiv = (xval[0][k] - xval[0][k - 1]);
++				frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0;
++			}
++			if (k < w0 + w1)
++				mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac);
++			else
++				mult[i - cip] = 0;
+           }
+           i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2;
+           RAW(row, col) = LIM(i, 0, 65535);
+diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp
+index cd2406d..09e976a 100644
+--- a/src/metadata/tiff.cpp
++++ b/src/metadata/tiff.cpp
+@@ -980,18 +980,21 @@ int LibRaw::parse_tiff_ifd(int base)
+               if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) &&
+                   (fwb[2] == rafdata[fi + 2]))
+               {
+-                if (rafdata[fi - 15] !=
++                if (fi > 14 && rafdata[fi - 15] !=
+                     fwb[0]) // 15 is offset of Tungsten WB from the first
+                             // preset, Fine Weather WB
+                   continue;
+-                for (int wb_ind = 0, ofst = fi - 15; wb_ind < Fuji_wb_list1.size();
+-                     wb_ind++, ofst += 3)
+-                {
+-                  icWBC[Fuji_wb_list1[wb_ind]][1] =
+-                      icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
+-                  icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
+-                  icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
+-                }
++				if (fi >= 15)
++				{
++					for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
++						wb_ind++, ofst += 3)
++					{
++						icWBC[Fuji_wb_list1[wb_ind]][1] =
++							icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
++						icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
++						icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
++					}
++				}
+ 
+                 if ((imFuji.RAFDataVersion == 0x0260) || // X-Pro3
+                     (imFuji.RAFDataVersion == 0x0261) || // X100V
+@@ -1000,6 +1003,8 @@ int LibRaw::parse_tiff_ifd(int base)
+                 fi += 96;
+                 for (fj = fi; fj < (fi + 15); fj += 3)
+                 {
++					if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3)
++						break;
+                   if (rafdata[fj] != rafdata[fi])
+                   {
+                     fj -= 93;
+@@ -1009,7 +1014,8 @@ int LibRaw::parse_tiff_ifd(int base)
+                         (imFuji.RAFDataVersion == 0x0261) || // X100V
+                         (imFuji.RAFDataVersion == 0x0262))   // X-T4
+                       fj -= 9;
+-                    for (int iCCT = 0, ofst = fj; iCCT < 31;
++                    for (int iCCT = 0, ofst = fj; iCCT < 31
++						&& ofst < libraw_internal_data.unpacker_data.lenRAFData - 3;
+                          iCCT++, ofst += 3)
+                     {
+                       icWBCCTC[iCCT][0] = FujiCCT_K[iCCT];
diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43963.patch libraw-0.20.2/debian/patches/CVE-2025-43963.patch
--- libraw-0.20.2/debian/patches/CVE-2025-43963.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/CVE-2025-43963.patch	2025-05-18 13:58:06.000000000 +0200
@@ -0,0 +1,35 @@
+From: Alex Tutubalin <lexa at lexa.ru>
+Date: Thu, 6 Feb 2025 21:01:58 +0300
+Subject: check split_col/split_row values in phase_one_correct
+
+Origin: https://github.com/LibRaw/LibRaw/commit/be26e7639ecf8beb55f124ce780e99842de2e964
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43963
+Bug-Debian: https://bugs.debian.org/1103782
+---
+ src/decoders/load_mfbacks.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
+index ded154c..f506e41 100644
+--- a/src/decoders/load_mfbacks.cpp
++++ b/src/decoders/load_mfbacks.cpp
+@@ -211,7 +211,8 @@ int LibRaw::phase_one_correct()
+           off_412 = ftell(ifp) - 38;
+         }
+       }
+-      else if (tag == 0x041f && !qlin_applied)
++      else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width
++		&& ph1.split_row > 0 && ph1.split_row < raw_height)
+       { /* Quadrant linearization */
+         ushort lc[2][2][16], ref[16];
+         int qr, qc;
+@@ -288,7 +289,8 @@ int LibRaw::phase_one_correct()
+         }
+         qmult_applied = 1;
+       }
+-      else if (tag == 0x0431 && !qmult_applied)
++      else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width 
++		&& ph1.split_row > 0 && ph1.split_row < raw_height)
+       { /* Quadrant combined */
+         ushort lc[2][2][7], ref[7];
+         int qr, qc;
diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43964.patch libraw-0.20.2/debian/patches/CVE-2025-43964.patch
--- libraw-0.20.2/debian/patches/CVE-2025-43964.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/CVE-2025-43964.patch	2025-05-18 13:58:06.000000000 +0200
@@ -0,0 +1,24 @@
+From: Alex Tutubalin <lexa at lexa.ru>
+Date: Sun, 2 Mar 2025 11:35:43 +0300
+Subject: additional checks in PhaseOne correction tag 0x412 processing
+
+Origin: https://github.com/LibRaw/LibRaw/commit/a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0
+Bug-Debian: https://security-tracker.debian.org/CVE-2025-43964
+Bug-Debian: https://bugs.debian.org/1103783
+---
+ src/decoders/load_mfbacks.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
+index f506e41..b85195f 100644
+--- a/src/decoders/load_mfbacks.cpp
++++ b/src/decoders/load_mfbacks.cpp
+@@ -336,6 +336,8 @@ int LibRaw::phase_one_correct()
+ 	  unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
+ 	  if (w0 > 10240000 || w1 > 10240000)
+ 		  throw LIBRAW_EXCEPTION_ALLOC;
++	  if (w0 < 1 || w1 < 1)
++		  throw LIBRAW_EXCEPTION_IO_CORRUPT;
+       yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
+       merror(yval[0], "phase_one_correct()");
+       yval[1] = (float *)(yval[0] + head[1] * head[3]);
diff -Nru libraw-0.20.2/debian/patches/series libraw-0.20.2/debian/patches/series
--- libraw-0.20.2/debian/patches/series	2023-05-20 21:44:42.000000000 +0200
+++ libraw-0.20.2/debian/patches/series	2025-05-18 13:58:06.000000000 +0200
@@ -1,2 +1,5 @@
 check-for-input-buffer-size-on-datastream-gets.patch
 do-not-set-shrink-flag-for-3-4-component-images.patch
+CVE-2025-43961_43962.patch
+CVE-2025-43963.patch
+CVE-2025-43964.patch
diff -Nru libraw-0.20.2/debian/salsa-ci.yml libraw-0.20.2/debian/salsa-ci.yml
--- libraw-0.20.2/debian/salsa-ci.yml	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/salsa-ci.yml	2025-05-18 13:58:06.000000000 +0200
@@ -0,0 +1,8 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'bookworm'
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_DISABLE_LINTIAN: 1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-phototools-devel/attachments/20250518/b7a83424/attachment.sig>


More information about the Pkg-phototools-devel mailing list