Your message dated Thu, 29 May 2025 10:41:28 +0200 with message-id <adgduj-yql1sm...@debian.org> and subject line Re: Bug#1106358: bookworm-pu: package libraw/0.20.2-2.1+deb12u1 has caused the Debian Bug report #1106358, regarding bookworm-pu: package libraw/0.20.2-2.1+deb12u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1106358: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106358 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: lib...@packages.debian.org Control: affects -1 + src:libraw User: release.debian....@packages.debian.org Usertags: pu [ Reason ] Fix <no-dsa> security issues CVE-2025-4396[1-4]. [ Impact ] User will remain vulnerable to the aforementioned issues. Upgrading users might regress as the issues are fixed in Bullseye LTS. [ Tests ] The package lacks automated tests but bound checks from the debdiff have been tested. [ Risks ] Low risk: each patch come from upstream and trivially applies to 0.20.2-2.1. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] * Fix CVE-2025-43961: Out-of-bounds read in the Fujifilm 0xf00c tag parser. * Fix CVE-2025-43962: Out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations. * Fix CVE-2025-43963: Out-of-buffer access because split_col and split_row values are not checked in 0x041f tag processing. * Fix CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not enforce minimum w0 and w1 values. * Add d/salsa-ci.yml for Salsa CI. -- Guilhem.diffstat for libraw-0.20.2 libraw-0.20.2 changelog | 15 +++++ patches/CVE-2025-43961_43962.patch | 107 +++++++++++++++++++++++++++++++++++++ patches/CVE-2025-43963.patch | 35 ++++++++++++ patches/CVE-2025-43964.patch | 24 ++++++++ patches/series | 3 + salsa-ci.yml | 8 ++ 6 files changed, 192 insertions(+) diff -Nru libraw-0.20.2/debian/changelog libraw-0.20.2/debian/changelog --- libraw-0.20.2/debian/changelog 2023-05-20 21:44:42.000000000 +0200 +++ libraw-0.20.2/debian/changelog 2025-05-18 13:58:06.000000000 +0200 @@ -1,3 +1,18 @@ +libraw (0.20.2-2.1+deb12u1) bookworm; urgency=high + + * Non-maintainer upload. + * Fix CVE-2025-43961: Out-of-bounds read in the Fujifilm 0xf00c tag parser. + (Closes: #1103781) + * Fix CVE-2025-43962: Out-of-bounds reads for tag 0x412 processing, related + to large w0 or w1 values or the frac and mult calculations. + (Closes: #1103781) + * Fix CVE-2025-43963: Out-of-buffer access because split_col and split_row + values are not checked in 0x041f tag processing. (Closes: #1103782) + * Fix CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not + enforce minimum w0 and w1 values. (Closes: #1103783) + + -- Guilhem Moulin <guil...@debian.org> Sun, 18 May 2025 13:58:06 +0200 + libraw (0.20.2-2.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch --- libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch 2025-05-18 13:58:06.000000000 +0200 @@ -0,0 +1,107 @@ +From: Alex Tutubalin <l...@lexa.ru> +Date: Sat, 1 Feb 2025 15:32:39 +0300 +Subject: Prevent out-of-bounds read in fuji 0xf00c tag parser + +Prevent out-of-bounds read in fuji 0xf00c tag parser + +prevent OOB reads in phase_one_correct + +Origin: https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43961 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43962 +Bug-Debian: https://bugs.debian.org/1103781 +--- + src/decoders/load_mfbacks.cpp | 18 ++++++++++++++---- + src/metadata/tiff.cpp | 26 ++++++++++++++++---------- + 2 files changed, 30 insertions(+), 14 deletions(-) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index 9d7c051..ded154c 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -331,6 +331,9 @@ int LibRaw::phase_one_correct() + fseek(ifp, off_412, SEEK_SET); + for (i = 0; i < 9; i++) + head[i] = get4() & 0x7fff; ++ unsigned w0 = head[1] * head[3], w1 = head[2] * head[4]; ++ if (w0 > 10240000 || w1 > 10240000) ++ throw LIBRAW_EXCEPTION_ALLOC; + yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6); + merror(yval[0], "phase_one_correct()"); + yval[1] = (float *)(yval[0] + head[1] * head[3]); +@@ -356,10 +359,17 @@ int LibRaw::phase_one_correct() + for (k = j = 0; j < head[1]; j++) + if (num < xval[0][k = head[1] * i + j]) + break; +- frac = (j == 0 || j == head[1]) +- ? 0 +- : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]); +- mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac); ++ if (j == 0 || j == head[1] || k < 1 || k >= w0+w1) ++ frac = 0; ++ else ++ { ++ int xdiv = (xval[0][k] - xval[0][k - 1]); ++ frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0; ++ } ++ if (k < w0 + w1) ++ mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac); ++ else ++ mult[i - cip] = 0; + } + i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2; + RAW(row, col) = LIM(i, 0, 65535); +diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp +index cd2406d..09e976a 100644 +--- a/src/metadata/tiff.cpp ++++ b/src/metadata/tiff.cpp +@@ -980,18 +980,21 @@ int LibRaw::parse_tiff_ifd(int base) + if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) && + (fwb[2] == rafdata[fi + 2])) + { +- if (rafdata[fi - 15] != ++ if (fi > 14 && rafdata[fi - 15] != + fwb[0]) // 15 is offset of Tungsten WB from the first + // preset, Fine Weather WB + continue; +- for (int wb_ind = 0, ofst = fi - 15; wb_ind < Fuji_wb_list1.size(); +- wb_ind++, ofst += 3) +- { +- icWBC[Fuji_wb_list1[wb_ind]][1] = +- icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; +- icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; +- icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; +- } ++ if (fi >= 15) ++ { ++ for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size(); ++ wb_ind++, ofst += 3) ++ { ++ icWBC[Fuji_wb_list1[wb_ind]][1] = ++ icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; ++ icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; ++ icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; ++ } ++ } + + if ((imFuji.RAFDataVersion == 0x0260) || // X-Pro3 + (imFuji.RAFDataVersion == 0x0261) || // X100V +@@ -1000,6 +1003,8 @@ int LibRaw::parse_tiff_ifd(int base) + fi += 96; + for (fj = fi; fj < (fi + 15); fj += 3) + { ++ if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3) ++ break; + if (rafdata[fj] != rafdata[fi]) + { + fj -= 93; +@@ -1009,7 +1014,8 @@ int LibRaw::parse_tiff_ifd(int base) + (imFuji.RAFDataVersion == 0x0261) || // X100V + (imFuji.RAFDataVersion == 0x0262)) // X-T4 + fj -= 9; +- for (int iCCT = 0, ofst = fj; iCCT < 31; ++ for (int iCCT = 0, ofst = fj; iCCT < 31 ++ && ofst < libraw_internal_data.unpacker_data.lenRAFData - 3; + iCCT++, ofst += 3) + { + icWBCCTC[iCCT][0] = FujiCCT_K[iCCT]; diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43963.patch libraw-0.20.2/debian/patches/CVE-2025-43963.patch --- libraw-0.20.2/debian/patches/CVE-2025-43963.patch 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.20.2/debian/patches/CVE-2025-43963.patch 2025-05-18 13:58:06.000000000 +0200 @@ -0,0 +1,35 @@ +From: Alex Tutubalin <l...@lexa.ru> +Date: Thu, 6 Feb 2025 21:01:58 +0300 +Subject: check split_col/split_row values in phase_one_correct + +Origin: https://github.com/LibRaw/LibRaw/commit/be26e7639ecf8beb55f124ce780e99842de2e964 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43963 +Bug-Debian: https://bugs.debian.org/1103782 +--- + src/decoders/load_mfbacks.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index ded154c..f506e41 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -211,7 +211,8 @@ int LibRaw::phase_one_correct() + off_412 = ftell(ifp) - 38; + } + } +- else if (tag == 0x041f && !qlin_applied) ++ else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width ++ && ph1.split_row > 0 && ph1.split_row < raw_height) + { /* Quadrant linearization */ + ushort lc[2][2][16], ref[16]; + int qr, qc; +@@ -288,7 +289,8 @@ int LibRaw::phase_one_correct() + } + qmult_applied = 1; + } +- else if (tag == 0x0431 && !qmult_applied) ++ else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width ++ && ph1.split_row > 0 && ph1.split_row < raw_height) + { /* Quadrant combined */ + ushort lc[2][2][7], ref[7]; + int qr, qc; diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43964.patch libraw-0.20.2/debian/patches/CVE-2025-43964.patch --- libraw-0.20.2/debian/patches/CVE-2025-43964.patch 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.20.2/debian/patches/CVE-2025-43964.patch 2025-05-18 13:58:06.000000000 +0200 @@ -0,0 +1,24 @@ +From: Alex Tutubalin <l...@lexa.ru> +Date: Sun, 2 Mar 2025 11:35:43 +0300 +Subject: additional checks in PhaseOne correction tag 0x412 processing + +Origin: https://github.com/LibRaw/LibRaw/commit/a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0 +Bug-Debian: https://security-tracker.debian.org/CVE-2025-43964 +Bug-Debian: https://bugs.debian.org/1103783 +--- + src/decoders/load_mfbacks.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index f506e41..b85195f 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -336,6 +336,8 @@ int LibRaw::phase_one_correct() + unsigned w0 = head[1] * head[3], w1 = head[2] * head[4]; + if (w0 > 10240000 || w1 > 10240000) + throw LIBRAW_EXCEPTION_ALLOC; ++ if (w0 < 1 || w1 < 1) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; + yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6); + merror(yval[0], "phase_one_correct()"); + yval[1] = (float *)(yval[0] + head[1] * head[3]); diff -Nru libraw-0.20.2/debian/patches/series libraw-0.20.2/debian/patches/series --- libraw-0.20.2/debian/patches/series 2023-05-20 21:44:42.000000000 +0200 +++ libraw-0.20.2/debian/patches/series 2025-05-18 13:58:06.000000000 +0200 @@ -1,2 +1,5 @@ check-for-input-buffer-size-on-datastream-gets.patch do-not-set-shrink-flag-for-3-4-component-images.patch +CVE-2025-43961_43962.patch +CVE-2025-43963.patch +CVE-2025-43964.patch diff -Nru libraw-0.20.2/debian/salsa-ci.yml libraw-0.20.2/debian/salsa-ci.yml --- libraw-0.20.2/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.20.2/debian/salsa-ci.yml 2025-05-18 13:58:06.000000000 +0200 @@ -0,0 +1,8 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bookworm' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Hi Salvatore, On Thu, 29 May 2025 at 08:48:20 +0200, Salvatore Bonaccorso wrote: > Loks there was overlapping work with Moritz here and Moritz did then > already upload. Oh, that's unfortunate. > So I would say to close this bug in favour of #1106536? Makes sense, closing this one then. -- Guilhem.
--- End Message ---
