!77 Fix CVE-2025-43961,CVE-2025-43962 and CVE-2025-43964

From: @starlet-dx Reviewed-by: @wk333 Signed-off-by: @wk333
Fix CVE-2025-43961,CVE-2025-43962 and CVE-2025-43964
2025-05-06 01:49:47 +00:00 · 2025-05-06 12:04:35 +08:00 · 2025-04-24 11:19:43 +00:00 · 2025-04-21 17:56:48 +08:00 · 2024-03-26 06:39:27 +00:00 · 2024-03-26 14:15:25 +08:00
7 changed files with 266 additions and 2 deletions
--- a/CVE-2021-32142.patch
+++ b/CVE-2021-32142.patch
@ -0,0 +1,37 @@
+From bc3aaf4223fdb70d52d470dae65c5a7923ea2a49 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Mon, 12 Apr 2021 13:21:52 +0300
+Subject: [PATCH] check for input buffer size on datastream::gets
+
+---
+ src/libraw_datastream.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libraw_datastream.cpp b/src/libraw_datastream.cpp
+index a5c1a84a..a31ae9dd 100644
+--- a/src/libraw_datastream.cpp
+++ b/src/libraw_datastream.cpp
+@@ -287,6 +287,7 @@ INT64 LibRaw_file_datastream::tell()
+ 
+ char *LibRaw_file_datastream::gets(char *str, int sz)
+ {
+  if(sz<1) return NULL;
+   LR_STREAM_CHK();
+   std::istream is(f.get());
+   is.getline(str, sz);
+@@ -421,6 +422,7 @@ INT64 LibRaw_buffer_datastream::tell()
+ 
+ char *LibRaw_buffer_datastream::gets(char *s, int sz)
+ {
+  if(sz<1) return NULL;
+   unsigned char *psrc, *pdest, *str;
+   str = (unsigned char *)s;
+   psrc = buf + streampos;
+@@ -618,6 +620,7 @@ INT64 LibRaw_bigfile_datastream::tell()
+ 
+ char *LibRaw_bigfile_datastream::gets(char *str, int sz)
+ {
+  if(sz<1) return NULL;
+   LR_BF_CHK();
+   return fgets(str, sz, f);
+ }
--- a/CVE-2023-1729.patch
+++ b/CVE-2023-1729.patch
@ -0,0 +1,22 @@
+From 9ab70f6dca19229cb5caad7cc31af4e7501bac93 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sat, 14 Jan 2023 18:32:59 +0300
+Subject: [PATCH] do not set shrink flag for 3/4 component images
+
+---
+ src/preprocessing/raw2image.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/preprocessing/raw2image.cpp b/src/preprocessing/raw2image.cpp
+index e65e2ad7..702cf290 100644
+--- a/src/preprocessing/raw2image.cpp
+++ b/src/preprocessing/raw2image.cpp
+@@ -43,6 +43,8 @@ void LibRaw::raw2image_start()
+ 
+   // adjust for half mode!
+   IO.shrink =
+	  !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image &&
+	  !imgdata.rawdata.float4_image && !imgdata.rawdata.float3_image &&
+       P1.filters &&
+       (O.half_size || ((O.threshold || O.aber[0] != 1 || O.aber[2] != 1)));
+ 
--- a/CVE-2025-43961_CVE-2025-43962.patch
+++ b/CVE-2025-43961_CVE-2025-43962.patch
@ -0,0 +1,105 @@
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sat, 1 Feb 2025 15:32:39 +0300
+Subject: Prevent out-of-bounds read in fuji 0xf00c tag parser
+
+Prevent out-of-bounds read in fuji 0xf00c tag parser
+
+prevent OOB reads in phase_one_correct
+
+(cherry picked from commit 66fe663e02a4dd610b4e832f5d9af326709336c2)
+---
+ src/decoders/load_mfbacks.cpp | 18 ++++++++++++++----
+ src/metadata/tiff.cpp         | 27 +++++++++++++++++----------
+ 2 files changed, 31 insertions(+), 14 deletions(-)
+
+diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
+index 9d7c051..ded154c 100644
+--- a/src/decoders/load_mfbacks.cpp
+++ b/src/decoders/load_mfbacks.cpp
+@@ -331,6 +331,9 @@ int LibRaw::phase_one_correct()
+       fseek(ifp, off_412, SEEK_SET);
+       for (i = 0; i < 9; i++)
+         head[i] = get4() & 0x7fff;
+	  unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
+	  if (w0 > 10240000 || w1 > 10240000)
+		  throw LIBRAW_EXCEPTION_ALLOC;
+       yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
+       merror(yval[0], "phase_one_correct()");
+       yval[1] = (float *)(yval[0] + head[1] * head[3]);
+@@ -356,10 +359,17 @@ int LibRaw::phase_one_correct()
+             for (k = j = 0; j < head[1]; j++)
+               if (num < xval[0][k = head[1] * i + j])
+                 break;
+-            frac = (j == 0 || j == head[1])
+-                       ? 0
+-                       : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]);
+-            mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac);
+			if (j == 0 || j == head[1] || k < 1 || k >= w0+w1)
+				frac = 0;
+			else
+			{
+				int xdiv = (xval[0][k] - xval[0][k - 1]);
+				frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0;
+			}
+			if (k < w0 + w1)
+				mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac);
+			else
+				mult[i - cip] = 0;
+           }
+           i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2;
+           RAW(row, col) = LIM(i, 0, 65535);
+diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp
+index cd2406d..53a8c04 100644
+--- a/src/metadata/tiff.cpp
+++ b/src/metadata/tiff.cpp
+@@ -980,18 +980,21 @@ int LibRaw::parse_tiff_ifd(int base)
+               if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) &&
+                   (fwb[2] == rafdata[fi + 2]))
+               {
+-                if (rafdata[fi - 15] !=
+                if (fi > 14 && rafdata[fi - 15] !=
+                     fwb[0]) // 15 is offset of Tungsten WB from the first
+                             // preset, Fine Weather WB
+                   continue;
+-                for (int wb_ind = 0, ofst = fi - 15; wb_ind < Fuji_wb_list1.size();
+-                     wb_ind++, ofst += 3)
+-                {
+-                  icWBC[Fuji_wb_list1[wb_ind]][1] =
+-                      icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
+-                  icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
+-                  icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
+-                }
+				if (fi >= 15)
+				{
+					for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
+						wb_ind++, ofst += 3)
+					{
+						icWBC[Fuji_wb_list1[wb_ind]][1] =
+							icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
+						icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
+						icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
+					}
+				}
+ 
+                 if ((imFuji.RAFDataVersion == 0x0260) || // X-Pro3
+                     (imFuji.RAFDataVersion == 0x0261) || // X100V
+@@ -1000,6 +1003,8 @@ int LibRaw::parse_tiff_ifd(int base)
+                 fi += 96;
+                 for (fj = fi; fj < (fi + 15); fj += 3)
+                 {
+					if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3)
+						break;
+                   if (rafdata[fj] != rafdata[fi])
+                   {
+                     fj -= 93;
+@@ -1009,7 +1014,9 @@ int LibRaw::parse_tiff_ifd(int base)
+                         (imFuji.RAFDataVersion == 0x0261) || // X100V
+                         (imFuji.RAFDataVersion == 0x0262))   // X-T4
+                       fj -= 9;
+-                    for (int iCCT = 0, ofst = fj; iCCT < 31;
+//printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e);
+                    for (int iCCT = 0, ofst = fj; iCCT < 31 
+						&& ofst < libraw_internal_data.unpacker_data.lenRAFData - 3;
+                          iCCT++, ofst += 3)
+                     {
+                       icWBCCTC[iCCT][0] = FujiCCT_K[iCCT];
--- a/CVE-2025-43964.patch
+++ b/CVE-2025-43964.patch
@ -0,0 +1,22 @@
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sun, 2 Mar 2025 11:35:43 +0300
+Subject: additional checks in PhaseOne correction tag 0x412 processing
+
+(cherry picked from commit a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0)
+---
+ src/decoders/load_mfbacks.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
+index 61eedeb..db0dc74 100644
+--- a/src/decoders/load_mfbacks.cpp
+++ b/src/decoders/load_mfbacks.cpp
+@@ -336,6 +336,8 @@ int LibRaw::phase_one_correct()
+ 	  unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
+ 	  if (w0 > 10240000 || w1 > 10240000)
+ 		  throw LIBRAW_EXCEPTION_ALLOC;
+	  if (w0 < 1 || w1 < 1)
+		  throw LIBRAW_EXCEPTION_IO_CORRUPT;
+       yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
+       merror(yval[0], "phase_one_correct()");
+       yval[1] = (float *)(yval[0] + head[1] * head[3]);
--- a/LibRaw.spec
+++ b/LibRaw.spec
@ -1,12 +1,20 @@
 Name:          LibRaw
 Version:       0.20.2
-Release:       3
+Release:       8
 Summary:       Library for reading RAW files obtained from digital photo cameras
-License:       BSD and (CDDL or LGPLv2)
+License:       BSD and (CDDL-1.0 or LGPLv2)
 URL:           http://www.libraw.org
 Source0:       http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz
 Patch0000:     prevent-buffer-overrun-in-parse_rollei.patch
 Patch0001:     fix-stack-buffer-overflow-in-LibRaw_buffer_datastream_gets.patch
+Patch0002:     fix-use-of-uninitialized-value.patch
+Patch0003:     CVE-2023-1729.patch
+# https://github.com/LibRaw/LibRaw/commit/bc3aaf4223fdb70d52d470dae65c5a7923ea2a49
+Patch0004:     CVE-2021-32142.patch
+Patch0005:     backport-upstream_CVE-2025-43963.patch
+Patch0006:     CVE-2025-43961_CVE-2025-43962.patch
+Patch0007:     CVE-2025-43964.patch
+
 BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
 BuildRequires: autoconf automake libtool
 Provides:      bundled(dcraw) = 9.25
@ -67,6 +75,21 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
 %exclude %{_docdir}/libraw/*

 %changelog
+* Tue May 06 2025 yaoxin <1024769339@qq.com> - 0.20.2-8
+- Fix CVE-2025-43961,CVE-2025-43962 and CVE-2025-43964
+
+* Tue Apr 22 2025 hdliu <dev03108@linx-info.com> - 0.20.2-7
+- Fix CVE-2025-43963
+
+* Tue Mar 26 2024 yaoxin <yao_xin001@hoperun.com> - 0.20.2-6
+- Fix CVE-2021-32142
+
+* Mon May 15 2023 yaoxin <yao_xin001@hoperun.com> - 0.20.2-5
+- Fix CVE-2023-1729
+
+* Thu Jun 3 2021 zhangjiapeng <zhangjiapeng9@huawei.com> - 0.20.2-4
+- fix use of uninitialized value
+
 * Sat Dec 5 2020 leiju <leiju4@huawei.com> - 0.20.2-3
 - modify Patch0001 name to fix patch parse error

--- a/backport-upstream_CVE-2025-43963.patch
+++ b/backport-upstream_CVE-2025-43963.patch
@ -0,0 +1,35 @@
+From 511c586dd6267e26ccdb61c16b98566a05c6e01e Mon Sep 17 00:00:00 2001
+From: hdliu <dev03108@linx-info.com>
+Date: Mon, 21 Apr 2025 17:43:18 +0800
+Subject: [PATCH] prevent out-of-buffer access in phase_one_correct()
+
+Signed-off-by: hdliu <dev03108@linx-info.com>
+---
+ src/decoders/load_mfbacks.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
+index 9d7c051..a8f2c6d 100644
+--- a/src/decoders/load_mfbacks.cpp
+++ b/src/decoders/load_mfbacks.cpp
+@@ -211,7 +211,7 @@ int LibRaw::phase_one_correct()
+           off_412 = ftell(ifp) - 38;
+         }
+       }
+-      else if (tag == 0x041f && !qlin_applied)
+      else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width && ph1.split_row > 0 && ph1.split_row < raw_height)
+       { /* Quadrant linearization */
+         ushort lc[2][2][16], ref[16];
+         int qr, qc;
+@@ -288,7 +288,7 @@ int LibRaw::phase_one_correct()
+         }
+         qmult_applied = 1;
+       }
+-      else if (tag == 0x0431 && !qmult_applied)
+      else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width && ph1.split_row > 0 && ph1.split_row < raw_height)
+       { /* Quadrant combined */
+         ushort lc[2][2][7], ref[7];
+         int qr, qc;
+-- 
+2.33.0
+
--- a/fix-use-of-uninitialized-value.patch
+++ b/fix-use-of-uninitialized-value.patch
@ -0,0 +1,20 @@
+diff --git a/src/metadata/sony.cpp b/src/metadata/sony.cpp
+index 120340b..2e8dd49 100644
+--- a/src/metadata/sony.cpp
+++ b/src/metadata/sony.cpp
+@@ -1071,6 +1071,7 @@ void LibRaw::parseSonyMakernotes(
+            (len >= 196))
+   {
+     table_buf = (uchar *)malloc(len);
+    memset(table_buf,0,len);
+     fread(table_buf, len, 1, ifp);
+ 
+     lid = 0x01 << 2;
+@@ -1106,6 +1107,7 @@ void LibRaw::parseSonyMakernotes(
+            (len >= 227))
+   {
+     table_buf = (uchar *)malloc(len);
+    memset(table_buf,0,len);
+     fread(table_buf, len, 1, ifp);
+ 
+     lid = 0x0;
Author	SHA1	Message	Date
openeuler-ci-bot	bbf7949091	!77 Fix CVE-2025-43961,CVE-2025-43962 and CVE-2025-43964 From: @starlet-dx Reviewed-by: @wk333 Signed-off-by: @wk333	2025-05-06 01:49:47 +00:00
starlet-dx	e5962ded92	Fix CVE-2025-43961,CVE-2025-43962 and CVE-2025-43964	2025-05-06 12:04:35 +08:00
openeuler-ci-bot	db5d6f9e1d	!64 Fix CVE-2025-43963 From: @liu-haodong142 Reviewed-by: @wk333 Signed-off-by: @wk333	2025-04-24 11:19:43 +00:00
hdliu	d4b15370e6	Fix CVE-2025-43963 Signed-off-by: hdliu <dev03108@linx-info.com>	2025-04-21 17:56:48 +08:00
openeuler-ci-bot	2c0fee8d8e	!51 Fix CVE-2021-32142 From: @starlet-dx Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2024-03-26 06:39:27 +00:00
starlet-dx	35c14b7096	Fix CVE-2021-32142	2024-03-26 14:15:25 +08:00
openeuler-ci-bot	bf4e625f59	!45 [sync] PR-44: Fix CVE-2023-1729 From: @openeuler-sync-bot Reviewed-by: @lyn1001 Signed-off-by: @lyn1001	2023-05-15 07:44:33 +00:00
starlet-dx	bab38fa6e5	Fix CVE-2023-1729 (cherry picked from commit 1ed5e98b5534a12f7a0bf0cb0259c4453ae21739)	2023-05-15 15:06:43 +08:00
openeuler-ci-bot	4d8110692c	!27 [sync] PR-26: fix use of uninitialized value From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek	2021-06-03 18:53:29 +08:00
jpzhang187	9fcbfe62cc	fix use of uninitialized value (cherry picked from commit 9113987cc058e57d85fef5662e5ceef226a917eb)	2021-06-03 18:47:32 +08:00