Bug#1106536: bookworm-pu: package libraw/0.20.2-2.1+deb12u1
Moritz Muehlenhoff
jmm at debian.org
Sun May 25 18:59:48 BST 2025
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libraw at packages.debian.org
Control: affects -1 + src:libraw
User: release.debian.org at packages.debian.org
Usertags: pu
Multiple low severity issues, not warranting a DSA,
debdiff below.
Cheers,
Moritz
diff -Nru libraw-0.20.2/debian/changelog libraw-0.20.2/debian/changelog
--- libraw-0.20.2/debian/changelog 2023-05-20 21:44:42.000000000 +0200
+++ libraw-0.20.2/debian/changelog 2025-05-18 21:10:22.000000000 +0200
@@ -1,3 +1,11 @@
+libraw (0.20.2-2.1+deb12u1) bookworm; urgency=medium
+
+ * CVE-2025-43961 / CVE-2025-43962 (Closes: #1103781)
+ * CVE-2025-43963 (Closes: #1103782)
+ * CVE-2025-43964 (Closes: #1103783)
+
+ -- Moritz Mühlenhoff <jmm at debian.org> Sun, 18 May 2025 21:10:22 +0200
+
libraw (0.20.2-2.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43961_43962_43963_43964.patch libraw-0.20.2/debian/patches/CVE-2025-43961_43962_43963_43964.patch
--- libraw-0.20.2/debian/patches/CVE-2025-43961_43962_43963_43964.patch 1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/CVE-2025-43961_43962_43963_43964.patch 2025-05-18 21:10:06.000000000 +0200
@@ -0,0 +1,113 @@
+Combined patch of the following upstream commits:
+
+From 66fe663e02a4dd610b4e832f5d9af326709336c2 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa at lexa.ru>
+Date: Sat, 1 Feb 2025 15:32:39 +0300
+Subject: [PATCH] Prevent out-of-bounds read in fuji 0xf00c tag parser
+
+From be26e7639ecf8beb55f124ce780e99842de2e964 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa at lexa.ru>
+Date: Thu, 6 Feb 2025 21:01:58 +0300
+Subject: [PATCH] check split_col/split_row values in phase_one_correct
+
+From a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa at lexa.ru>
+Date: Sun, 2 Mar 2025 11:35:43 +0300
+Subject: [PATCH] additional checks in PhaseOne correction tag 0x412 processing
+
+
+--- libraw-0.20.2.orig/src/decoders/load_mfbacks.cpp
++++ libraw-0.20.2/src/decoders/load_mfbacks.cpp
+@@ -211,7 +211,8 @@ int LibRaw::phase_one_correct()
+ off_412 = ftell(ifp) - 38;
+ }
+ }
+- else if (tag == 0x041f && !qlin_applied)
++ else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width
++ && ph1.split_row > 0 && ph1.split_row < raw_height)
+ { /* Quadrant linearization */
+ ushort lc[2][2][16], ref[16];
+ int qr, qc;
+@@ -288,7 +289,8 @@ int LibRaw::phase_one_correct()
+ }
+ qmult_applied = 1;
+ }
+- else if (tag == 0x0431 && !qmult_applied)
++ else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width
++ && ph1.split_row > 0 && ph1.split_row < raw_height)
+ { /* Quadrant combined */
+ ushort lc[2][2][7], ref[7];
+ int qr, qc;
+@@ -331,6 +333,11 @@ int LibRaw::phase_one_correct()
+ fseek(ifp, off_412, SEEK_SET);
+ for (i = 0; i < 9; i++)
+ head[i] = get4() & 0x7fff;
++ unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
++ if (w0 > 10240000 || w1 > 10240000)
++ throw LIBRAW_EXCEPTION_ALLOC;
++ if (w0 < 1 || w1 < 1)
++ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+ yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
+ merror(yval[0], "phase_one_correct()");
+ yval[1] = (float *)(yval[0] + head[1] * head[3]);
+@@ -356,10 +363,17 @@ int LibRaw::phase_one_correct()
+ for (k = j = 0; j < head[1]; j++)
+ if (num < xval[0][k = head[1] * i + j])
+ break;
+- frac = (j == 0 || j == head[1])
+- ? 0
+- : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]);
+- mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac);
++ if (j == 0 || j == head[1] || k < 1 || k >= w0+w1)
++ frac = 0;
++ else
++ {
++ int xdiv = (xval[0][k] - xval[0][k - 1]);
++ frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0;
++ }
++ if (k < w0 + w1)
++ mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac);
++ else
++ mult[i - cip] = 0;
+ }
+ i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2;
+ RAW(row, col) = LIM(i, 0, 65535);
+--- libraw-0.20.2.orig/src/metadata/tiff.cpp
++++ libraw-0.20.2/src/metadata/tiff.cpp
+@@ -980,17 +980,20 @@ int LibRaw::parse_tiff_ifd(int base)
+ if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) &&
+ (fwb[2] == rafdata[fi + 2]))
+ {
+- if (rafdata[fi - 15] !=
++ if (fi > 14 && rafdata[fi - 15] !=
+ fwb[0]) // 15 is offset of Tungsten WB from the first
+ // preset, Fine Weather WB
+ continue;
+- for (int wb_ind = 0, ofst = fi - 15; wb_ind < Fuji_wb_list1.size();
+- wb_ind++, ofst += 3)
++ if (fi >= 15)
+ {
+- icWBC[Fuji_wb_list1[wb_ind]][1] =
+- icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
+- icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
+- icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
++ for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
++ wb_ind++, ofst += 3)
++ {
++ icWBC[Fuji_wb_list1[wb_ind]][1] =
++ icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
++ icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
++ icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
++ }
+ }
+
+ if ((imFuji.RAFDataVersion == 0x0260) || // X-Pro3
+@@ -1000,6 +1003,8 @@ int LibRaw::parse_tiff_ifd(int base)
+ fi += 96;
+ for (fj = fi; fj < (fi + 15); fj += 3)
+ {
++ if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3)
++ break;
+ if (rafdata[fj] != rafdata[fi])
+ {
+ fj -= 93;
diff -Nru libraw-0.20.2/debian/patches/series libraw-0.20.2/debian/patches/series
--- libraw-0.20.2/debian/patches/series 2023-05-20 21:44:42.000000000 +0200
+++ libraw-0.20.2/debian/patches/series 2025-05-18 21:09:05.000000000 +0200
@@ -1,2 +1,3 @@
check-for-input-buffer-size-on-datastream-gets.patch
do-not-set-shrink-flag-for-3-4-component-images.patch
+CVE-2025-43961_43962_43963_43964.patch
More information about the Pkg-phototools-devel
mailing list