diff -Nru libraw-0.14.4/debian/changelog libraw-0.14.4/debian/changelog
--- libraw-0.14.4/debian/changelog	2013-06-07 13:48:25.000000000 +0000
+++ libraw-0.14.4/debian/changelog	2013-09-20 16:48:15.000000000 +0000
@@ -1,3 +1,13 @@
+libraw (0.14.4-0ubuntu2.2) precise-security; urgency=low
+
+  * SECURITY UPDATE: denial of service via crafted photo files
+    - debian/patches/CVE-2013-143x.patch: add more checks to
+      internal/dcraw_common.cpp, src/libraw_datastream.cpp.
+    - CVE-2013-1438
+    - CVE-2013-1439
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 20 Sep 2013 12:47:53 -0400
+
 libraw (0.14.4-0ubuntu2.1) precise-security; urgency=low
 
   * SECURITY UPDATE: denial of service and possible code execution via
diff -Nru libraw-0.14.4/debian/patches/CVE-2013-143x.patch libraw-0.14.4/debian/patches/CVE-2013-143x.patch
--- libraw-0.14.4/debian/patches/CVE-2013-143x.patch	1970-01-01 00:00:00.000000000 +0000
+++ libraw-0.14.4/debian/patches/CVE-2013-143x.patch	2013-09-20 17:09:09.000000000 +0000
@@ -0,0 +1,190 @@
+Description: fix denial of service via crafted photo files
+Origin: backport, https://github.com/LibRaw/LibRaw/commit/c4e374ea6c979a7d1d968f5082b7d0ea8cd27202
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721338
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721231
+
+Index: libraw-0.14.4/internal/dcraw_common.cpp
+===================================================================
+--- libraw-0.14.4.orig/internal/dcraw_common.cpp	2013-09-20 12:45:54.407831809 -0400
++++ libraw-0.14.4/internal/dcraw_common.cpp	2013-09-20 12:47:40.079828901 -0400
+@@ -689,7 +689,10 @@
+ int CLASS ljpeg_diff (ushort *huff)
+ {
+   int len, diff;
+-
++#ifdef LIBRAW_LIBRARY_BUILD
++  if(!huff)
++    throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif
+   len = gethuff(huff);
+   if (len == 16 && (!dng_version || dng_version >= 0x1010000))
+     return -32768;
+@@ -703,6 +706,8 @@
+ int CLASS ljpeg_diff_new (LibRaw_bit_buffer& bits, LibRaw_byte_buffer* buf,ushort *huff)
+ {
+   int len, diff;
++  if(!huff || !buf)
++    throw LIBRAW_EXCEPTION_IO_CORRUPT;
+ 
+   len = bits._gethuff_lj(buf,*huff,huff+1);
+   if (len == 16 && (!dng_version || dng_version >= 0x1010000))
+@@ -839,6 +844,10 @@
+ 
+ 
+   if (!ljpeg_start (&jh, 0)) return;
++#ifdef LIBRAW_LIBRARY_BUILD
++  if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
++    throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif
+   jwide = jh.wide * jh.clrs;
+ 
+ #ifdef LIBRAW_LIBRARY_BUILD
+@@ -855,13 +864,18 @@
+       }
+        
+   slices = slicesWcnt * jh.high;
++  if(!slices)
++    throw LIBRAW_EXCEPTION_IO_CORRUPT;
+   offset = (unsigned*)calloc(slices+1,sizeof(offset[0]));
+   
+   for(slice=0;slice<slices;slice++)
+       {
+           offset[slice] = (t_x + t_y * raw_width)| (t_s<<28);
+-          if(offset[slice] & 0x0fffffff >= raw_width * raw_height)
++          if((offset[slice] & 0x0fffffff) >= raw_width * raw_height)
++            {
++              free(offset);
+               throw LIBRAW_EXCEPTION_IO_BADFILE; 
++            }
+           t_y++;
+           if(t_y == jh.high)
+               {
+@@ -915,12 +929,27 @@
+               pixno++;
+               if (0 == --pixelsInSlice)
+                   {
++                    if(slice > slices)
++                      {
++                        free(offset);
++                        throw LIBRAW_EXCEPTION_IO_CORRUPT;
++                      }
+                       unsigned o = offset[slice++];
+                       pixno = o & 0x0fffffff;
+                       pixelsInSlice = slicesW[o>>28];
+                   }
+           }
+ #endif
++      
++      if(row>raw_height)
++#ifdef LIBRAW_LIBRARY_BUILD
++      {
++        free(offset);
++        throw LIBRAW_EXCEPTION_IO_CORRUPT;
++      }
++#else
++        longjmp (failure, 3);
++#endif
+ #ifndef LIBRAW_LIBRARY_BUILD
+ 
+       if (raw_width == 3984 && (col -= 2) < 0)
+@@ -5354,6 +5383,7 @@
+ 	  data_offset = get4()+base;
+ 	  ifd++;  break;
+ 	}
++        if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
+ 	while (len--) {
+ 	  i = ftell(ifp);
+ 	  fseek (ifp, get4()+base, SEEK_SET);
+@@ -5589,7 +5619,7 @@
+ 	break;
+       case 50715:			/* BlackLevelDeltaH */
+       case 50716:			/* BlackLevelDeltaV */
+-	for (num=i=0; i < len; i++)
++	for (num=i=0; i < len && i < 65536; i++)
+ 	  num += getreal(type);
+ 	black += num/len + 0.5;
+ 	break;
+@@ -5723,9 +5753,12 @@
+   if (thumb_offset) {
+     fseek (ifp, thumb_offset, SEEK_SET);
+     if (ljpeg_start (&jh, 1)) {
+-      thumb_misc   = jh.bits;
+-      thumb_width  = jh.wide;
+-      thumb_height = jh.high;
++      if((unsigned)jh.bits<17 && (unsigned)jh.wide < 0x10000 && (unsigned)jh.high < 0x10000)
++        {
++          thumb_misc   = jh.bits;
++          thumb_width  = jh.wide;
++          thumb_height = jh.high;
++        }
+     }
+   }
+   for (i=0; i < tiff_nifds; i++) {
+@@ -5735,7 +5768,8 @@
+     if (max_bps < tiff_ifd[i].bps)
+         max_bps = tiff_ifd[i].bps;
+     if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
+-	(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
++        unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
++        (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
+ 	tiff_ifd[i].t_width*tiff_ifd[i].t_height > raw_width*raw_height) {
+       raw_width     = tiff_ifd[i].t_width;
+       raw_height    = tiff_ifd[i].t_height;
+@@ -5811,16 +5845,19 @@
+   if(dng_version && max_bps > 16)
+       is_raw = 0;
+   for (i=0; i < tiff_nifds; i++)
+-    if (i != raw && tiff_ifd[i].samples == max_samp &&
+-	tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
+-	      thumb_width *       thumb_height / SQR(thumb_misc+1)) {
+-      thumb_width  = tiff_ifd[i].t_width;
+-      thumb_height = tiff_ifd[i].t_height;
+-      thumb_offset = tiff_ifd[i].offset;
+-      thumb_length = tiff_ifd[i].bytes;
+-      thumb_misc   = tiff_ifd[i].bps;
+-      thm = i;
+-    }
++     if (i != raw && tiff_ifd[i].samples == max_samp &&
++         tiff_ifd[i].bps>0 && tiff_ifd[i].bps < 33 &&
++         unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
++         tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
++         thumb_width *       thumb_height / SQR(thumb_misc+1)
++         && tiff_ifd[i].comp != 34892) {
++       thumb_width  = tiff_ifd[i].t_width;
++       thumb_height = tiff_ifd[i].t_height;
++       thumb_offset = tiff_ifd[i].offset;
++       thumb_length = tiff_ifd[i].bytes;
++       thumb_misc   = tiff_ifd[i].bps;
++       thm = i;
++     }
+   if (thm >= 0) {
+     thumb_misc |= tiff_ifd[thm].samples << 5;
+     switch (tiff_ifd[thm].comp) {
+Index: libraw-0.14.4/src/libraw_datastream.cpp
+===================================================================
+--- libraw-0.14.4.orig/src/libraw_datastream.cpp	2013-09-20 12:45:54.407831809 -0400
++++ libraw-0.14.4/src/libraw_datastream.cpp	2013-09-20 12:45:54.399831809 -0400
+@@ -31,7 +31,12 @@
+ 
+ LibRaw_byte_buffer *LibRaw_abstract_datastream::make_byte_buffer(unsigned int sz)
+ {
++  if(sz> 2u * 1024u * 1024u * 1024u) // 2GB is enough
++      throw LIBRAW_EXCEPTION_ALLOC;
++
+     LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(sz);
++    if(!ret) // failed new should throw std::exception
++      throw LIBRAW_EXCEPTION_ALLOC;
+     read(ret->get_buffer(),sz,1);
+     return ret;
+ }
+@@ -309,7 +314,10 @@
+ 
+ LibRaw_byte_buffer *LibRaw_buffer_datastream::make_byte_buffer(unsigned int sz)
+ {
++
+     LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(0);
++    if(!ret) // failed new should throw std::exception
++      throw LIBRAW_EXCEPTION_ALLOC;
+     if(streampos + sz > streamsize)
+         sz = streamsize - streampos;
+     ret->set_buffer(buf+streampos,sz);
diff -Nru libraw-0.14.4/debian/patches/series libraw-0.14.4/debian/patches/series
--- libraw-0.14.4/debian/patches/series	2013-06-07 13:48:08.000000000 +0000
+++ libraw-0.14.4/debian/patches/series	2013-09-20 16:36:08.000000000 +0000
@@ -1 +1,2 @@
 CVE-2013-2126.patch
+CVE-2013-143x.patch