Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: lib...@packages.debian.org Control: affects -1 + src:libraw User: release.debian....@packages.debian.org Usertags: pu
[ Reason ]
Fix <no-dsa> security issues CVE-2025-4396[1-4].
[ Impact ]
User will remain vulnerable to the aforementioned issues. Upgrading
users might regress as the issues are fixed in Bullseye LTS.
[ Tests ]
The package lacks automated tests but bound checks from the debdiff have
been tested.
[ Risks ]
Low risk: each patch come from upstream and trivially applies to 0.20.2-2.1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2025-43961: Out-of-bounds read in the Fujifilm 0xf00c tag parser.
* Fix CVE-2025-43962: Out-of-bounds reads for tag 0x412 processing, related
to large w0 or w1 values or the frac and mult calculations.
* Fix CVE-2025-43963: Out-of-buffer access because split_col and split_row
values are not checked in 0x041f tag processing.
* Fix CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not
enforce minimum w0 and w1 values.
* Add d/salsa-ci.yml for Salsa CI.
--
Guilhem.
diffstat for libraw-0.20.2 libraw-0.20.2 changelog | 15 +++++ patches/CVE-2025-43961_43962.patch | 107 +++++++++++++++++++++++++++++++++++++ patches/CVE-2025-43963.patch | 35 ++++++++++++ patches/CVE-2025-43964.patch | 24 ++++++++ patches/series | 3 + salsa-ci.yml | 8 ++ 6 files changed, 192 insertions(+) diff -Nru libraw-0.20.2/debian/changelog libraw-0.20.2/debian/changelog --- libraw-0.20.2/debian/changelog 2023-05-20 21:44:42.000000000 +0200 +++ libraw-0.20.2/debian/changelog 2025-05-18 13:58:06.000000000 +0200 @@ -1,3 +1,18 @@ +libraw (0.20.2-2.1+deb12u1) bookworm; urgency=high + + * Non-maintainer upload. + * Fix CVE-2025-43961: Out-of-bounds read in the Fujifilm 0xf00c tag parser. + (Closes: #1103781) + * Fix CVE-2025-43962: Out-of-bounds reads for tag 0x412 processing, related + to large w0 or w1 values or the frac and mult calculations. + (Closes: #1103781) + * Fix CVE-2025-43963: Out-of-buffer access because split_col and split_row + values are not checked in 0x041f tag processing. (Closes: #1103782) + * Fix CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not + enforce minimum w0 and w1 values. (Closes: #1103783) + + -- Guilhem Moulin <guil...@debian.org> Sun, 18 May 2025 13:58:06 +0200 + libraw (0.20.2-2.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch --- libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch 2025-05-18 13:58:06.000000000 +0200 @@ -0,0 +1,107 @@ +From: Alex Tutubalin <l...@lexa.ru> +Date: Sat, 1 Feb 2025 15:32:39 +0300 +Subject: Prevent out-of-bounds read in fuji 0xf00c tag parser + +Prevent out-of-bounds read in fuji 0xf00c tag parser + +prevent OOB reads in phase_one_correct + +Origin: https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43961 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43962 +Bug-Debian: https://bugs.debian.org/1103781 +--- + src/decoders/load_mfbacks.cpp | 18 ++++++++++++++---- + src/metadata/tiff.cpp | 26 ++++++++++++++++---------- + 2 files changed, 30 insertions(+), 14 deletions(-) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index 9d7c051..ded154c 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -331,6 +331,9 @@ int LibRaw::phase_one_correct() + fseek(ifp, off_412, SEEK_SET); + for (i = 0; i < 9; i++) + head[i] = get4() & 0x7fff; ++ unsigned w0 = head[1] * head[3], w1 = head[2] * head[4]; ++ if (w0 > 10240000 || w1 > 10240000) ++ throw LIBRAW_EXCEPTION_ALLOC; + yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6); + merror(yval[0], "phase_one_correct()"); + yval[1] = (float *)(yval[0] + head[1] * head[3]); +@@ -356,10 +359,17 @@ int LibRaw::phase_one_correct() + for (k = j = 0; j < head[1]; j++) + if (num < xval[0][k = head[1] * i + j]) + break; +- frac = (j == 0 || j == head[1]) +- ? 0 +- : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]); +- mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac); ++ if (j == 0 || j == head[1] || k < 1 || k >= w0+w1) ++ frac = 0; ++ else ++ { ++ int xdiv = (xval[0][k] - xval[0][k - 1]); ++ frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0; ++ } ++ if (k < w0 + w1) ++ mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac); ++ else ++ mult[i - cip] = 0; + } + i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2; + RAW(row, col) = LIM(i, 0, 65535); +diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp +index cd2406d..09e976a 100644 +--- a/src/metadata/tiff.cpp ++++ b/src/metadata/tiff.cpp +@@ -980,18 +980,21 @@ int LibRaw::parse_tiff_ifd(int base) + if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) && + (fwb[2] == rafdata[fi + 2])) + { +- if (rafdata[fi - 15] != ++ if (fi > 14 && rafdata[fi - 15] != + fwb[0]) // 15 is offset of Tungsten WB from the first + // preset, Fine Weather WB + continue; +- for (int wb_ind = 0, ofst = fi - 15; wb_ind < Fuji_wb_list1.size(); +- wb_ind++, ofst += 3) +- { +- icWBC[Fuji_wb_list1[wb_ind]][1] = +- icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; +- icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; +- icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; +- } ++ if (fi >= 15) ++ { ++ for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size(); ++ wb_ind++, ofst += 3) ++ { ++ icWBC[Fuji_wb_list1[wb_ind]][1] = ++ icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; ++ icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; ++ icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; ++ } ++ } + + if ((imFuji.RAFDataVersion == 0x0260) || // X-Pro3 + (imFuji.RAFDataVersion == 0x0261) || // X100V +@@ -1000,6 +1003,8 @@ int LibRaw::parse_tiff_ifd(int base) + fi += 96; + for (fj = fi; fj < (fi + 15); fj += 3) + { ++ if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3) ++ break; + if (rafdata[fj] != rafdata[fi]) + { + fj -= 93; +@@ -1009,7 +1014,8 @@ int LibRaw::parse_tiff_ifd(int base) + (imFuji.RAFDataVersion == 0x0261) || // X100V + (imFuji.RAFDataVersion == 0x0262)) // X-T4 + fj -= 9; +- for (int iCCT = 0, ofst = fj; iCCT < 31; ++ for (int iCCT = 0, ofst = fj; iCCT < 31 ++ && ofst < libraw_internal_data.unpacker_data.lenRAFData - 3; + iCCT++, ofst += 3) + { + icWBCCTC[iCCT][0] = FujiCCT_K[iCCT]; diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43963.patch libraw-0.20.2/debian/patches/CVE-2025-43963.patch --- libraw-0.20.2/debian/patches/CVE-2025-43963.patch 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.20.2/debian/patches/CVE-2025-43963.patch 2025-05-18 13:58:06.000000000 +0200 @@ -0,0 +1,35 @@ +From: Alex Tutubalin <l...@lexa.ru> +Date: Thu, 6 Feb 2025 21:01:58 +0300 +Subject: check split_col/split_row values in phase_one_correct + +Origin: https://github.com/LibRaw/LibRaw/commit/be26e7639ecf8beb55f124ce780e99842de2e964 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43963 +Bug-Debian: https://bugs.debian.org/1103782 +--- + src/decoders/load_mfbacks.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index ded154c..f506e41 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -211,7 +211,8 @@ int LibRaw::phase_one_correct() + off_412 = ftell(ifp) - 38; + } + } +- else if (tag == 0x041f && !qlin_applied) ++ else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width ++ && ph1.split_row > 0 && ph1.split_row < raw_height) + { /* Quadrant linearization */ + ushort lc[2][2][16], ref[16]; + int qr, qc; +@@ -288,7 +289,8 @@ int LibRaw::phase_one_correct() + } + qmult_applied = 1; + } +- else if (tag == 0x0431 && !qmult_applied) ++ else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width ++ && ph1.split_row > 0 && ph1.split_row < raw_height) + { /* Quadrant combined */ + ushort lc[2][2][7], ref[7]; + int qr, qc; diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43964.patch libraw-0.20.2/debian/patches/CVE-2025-43964.patch --- libraw-0.20.2/debian/patches/CVE-2025-43964.patch 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.20.2/debian/patches/CVE-2025-43964.patch 2025-05-18 13:58:06.000000000 +0200 @@ -0,0 +1,24 @@ +From: Alex Tutubalin <l...@lexa.ru> +Date: Sun, 2 Mar 2025 11:35:43 +0300 +Subject: additional checks in PhaseOne correction tag 0x412 processing + +Origin: https://github.com/LibRaw/LibRaw/commit/a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0 +Bug-Debian: https://security-tracker.debian.org/CVE-2025-43964 +Bug-Debian: https://bugs.debian.org/1103783 +--- + src/decoders/load_mfbacks.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index f506e41..b85195f 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -336,6 +336,8 @@ int LibRaw::phase_one_correct() + unsigned w0 = head[1] * head[3], w1 = head[2] * head[4]; + if (w0 > 10240000 || w1 > 10240000) + throw LIBRAW_EXCEPTION_ALLOC; ++ if (w0 < 1 || w1 < 1) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; + yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6); + merror(yval[0], "phase_one_correct()"); + yval[1] = (float *)(yval[0] + head[1] * head[3]); diff -Nru libraw-0.20.2/debian/patches/series libraw-0.20.2/debian/patches/series --- libraw-0.20.2/debian/patches/series 2023-05-20 21:44:42.000000000 +0200 +++ libraw-0.20.2/debian/patches/series 2025-05-18 13:58:06.000000000 +0200 @@ -1,2 +1,5 @@ check-for-input-buffer-size-on-datastream-gets.patch do-not-set-shrink-flag-for-3-4-component-images.patch +CVE-2025-43961_43962.patch +CVE-2025-43963.patch +CVE-2025-43964.patch diff -Nru libraw-0.20.2/debian/salsa-ci.yml libraw-0.20.2/debian/salsa-ci.yml --- libraw-0.20.2/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.20.2/debian/salsa-ci.yml 2025-05-18 13:58:06.000000000 +0200 @@ -0,0 +1,8 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bookworm' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1
signature.asc
Description: PGP signature
