!7 fix CVE-2018-20363 CVE-2018-20364 CVE-2018-20365

From: @zhanghua1831 Reviewed-by: @small_leek Signed-off-by: @small_leek
2020-09-17 11:44:31 +08:00 · 2020-09-17 11:44:31 +08:00 · 0f255f096b
commit 0f255f096b
parent 5ccdf2b90e b8bb0e550e
4 changed files with 112 additions and 2 deletions
--- a/CVE-2018-20363.patch
+++ b/CVE-2018-20363.patch
@ -0,0 +1,31 @@
+From 7e29b9f29449fde30cc878fbb137d61c14bba3a4 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Wed, 19 Dec 2018 14:17:51 +0300
+Subject: [PATCH] Possible write to NULL at raw2image
+
+---
+ src/libraw_cxx.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp
+index 1a8a2f25..074d81a4 100644
+--- a/src/libraw_cxx.cpp
+++ b/src/libraw_cxx.cpp
+@@ -3346,7 +3346,7 @@ int LibRaw::raw2image(void)
+   {
+     raw2image_start();
+ 
+-    if (is_phaseone_compressed())
+    if (is_phaseone_compressed() && imgdata.rawdata.raw_image)
+     {
+       phase_one_allocate_tempbuffer();
+       int rc = phase_one_subtract_black((ushort *)imgdata.rawdata.raw_alloc, imgdata.rawdata.raw_image);
+@@ -3374,7 +3374,7 @@ int LibRaw::raw2image(void)
+     get_decoder_info(&decoder_info);
+ 
+     // Move saved bitmap to imgdata.image
+-    if (imgdata.idata.filters || P1.colors == 1)
+    if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image)
+     {
+       if (IO.fuji_width)
+       {
--- a/CVE-2018-20364.patch
+++ b/CVE-2018-20364.patch
@ -0,0 +1,41 @@
+From 7903346bfd5f8c24e5bfd4df48f0e5cd1e7b65cb Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Fri, 21 Dec 2018 09:37:05 +0300
+Subject: [PATCH] check for raw_image presence in raw2image_ex
+
+---
+ src/libraw_cxx.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp
+index 074d81a4..43aed1cc 100644
+--- a/src/libraw_cxx.cpp
+++ b/src/libraw_cxx.cpp
+@@ -3374,7 +3374,8 @@ int LibRaw::raw2image(void)
+     get_decoder_info(&decoder_info);
+ 
+     // Move saved bitmap to imgdata.image
+-    if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image)
+    if ((imgdata.idata.filters || P1.colors == 1) 
+       && imgdata.rawdata.raw_image)
+     {
+       if (IO.fuji_width)
+       {
+@@ -3638,7 +3639,7 @@ int LibRaw::raw2image_ex(int do_subtract_black)
+     raw2image_start();
+ 
+     // Compressed P1 files with bl data!
+-    if (is_phaseone_compressed())
+    if (is_phaseone_compressed() && imgdata.rawdata.raw_image)
+     {
+       phase_one_allocate_tempbuffer();
+       int rc = phase_one_subtract_black((ushort *)imgdata.rawdata.raw_alloc, imgdata.rawdata.raw_image);
+@@ -3745,7 +3746,7 @@ int LibRaw::raw2image_ex(int do_subtract_black)
+     }
+ 
+     // Move saved bitmap to imgdata.image
+-    if (imgdata.idata.filters || P1.colors == 1)
+    if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image)
+     {
+       if (IO.fuji_width)
+       {
--- a/CVE-2018-20365.patch
+++ b/CVE-2018-20365.patch
@ -0,0 +1,33 @@
+From 561ec9a7fb5ec694104a22b7b6cd820bfa449784 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Thu, 10 Jan 2019 09:22:39 +0300
+Subject: [PATCH] Sinar 4shot: zero filters for multi-shot images
+
+---
+ internal/dcraw_common.cpp | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
+index 29cc72f..1ca70cf 100644
+--- a/internal/dcraw_common.cpp
+++ b/internal/dcraw_common.cpp
+@@ -18969,10 +18969,15 @@ void CLASS identify()
+   {
+     if (!load_raw)
+       load_raw = &CLASS unpacked_load_raw;
+-    if (is_raw > 1 && !shot_select && !half_size)
+    if (is_raw > 1 && !shot_select)
+       filters = 0;
+     maximum = 0x3fff;
+   }
+  else if(load_raw == &LibRaw::sinar_4shot_load_raw)
+  {
+    if (is_raw > 1 && !shot_select)
+      filters = 0;
+  }
+   else if (!strncmp(make, "Leaf", 4))
+   {
+     maximum = 0x3fff;
+-- 
+2.23.0
+
--- a/LibRaw.spec
+++ b/LibRaw.spec
@ -1,6 +1,6 @@
 Name:          LibRaw
 Version:       0.19.0
-Release:       9
+Release:       10
 Summary:       Library for reading RAW files obtained from digital photo cameras
 License:       BSD and (CDDL or LGPLv2)
 URL:           http://www.libraw.org
@ -8,7 +8,9 @@ Source0:       http://www.libraw.org/data/%{name}-%{version}.tar.gz
 Patch0002:     LibRaw-0.17.1-CVE-2015-8366-8367.patch
 Patch6000:     LibRaw-0.19.2-CVE-2018-5817,5818,5819.patch
 Patch6001:     CVE-2018-20337.patch 
-
+Patch6002:     CVE-2018-20363.patch
+Patch6003:     CVE-2018-20364.patch
+Patch6004:     CVE-2018-20365.patch
 BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
 Provides:      bundled(dcraw) = 9.25
 %description
@ -67,6 +69,9 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
 %exclude %{_docdir}/libraw/*

 %changelog
+* Wed Sep 16 2020 zhanghua <zhanghua40@huawei.com> - 0.19.0-10
+- Fix CVE-2018-20363, CVE-2018-20364, CVE-2018-20365
+
 * Mon Jul 13 2020 wangyue <wangyue92@huawei.com> - 0.19.0-9
 - Fix CVE-2018-20337.