Login
Newsletter
Werbung

Sicherheit: Denial of Service in LibRaw
Aktuelle Meldungen Distributionen
Name: Denial of Service in LibRaw
ID: FEDORA-2013-15576
Distribution: Fedora
Plattformen: Fedora 18
Datum: Di, 10. September 2013, 09:08
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1439
Applikationen: LibRaw

Originalnachricht

Name        : LibRaw
Product : Fedora 18
Version : 0.14.8
Release : 3.fc18.20120830git98d925
URL : http://www.libraw.org
Summary : Library for reading RAW files obtained from digital photo cameras
Description :
LibRaw is a library for reading RAW files obtained from digital photo
cameras (CRW/CR2, NEF, RAF, DNG, and others).

LibRaw is based on the source codes of the dcraw utility, where part of
drawbacks have already been eliminated and part will be fixed in future.

-------------------------------------------------------------------------------
-
Update Information:

Raphael Geissert reported two denial of service flaws in LibRaw [1]:

CVE-2013-1438:

Specially crafted photo files may trigger a division by zero, an
infinite loop, or a null pointer dereference in libraw leading to
denial of service in applications using the library.
These vulnerabilities appear to originate in dcraw and as such any
program or library based on it is affected. To name a few confirmed
applications: dcraw, ufraw. Other affected software: shotwell,
darktable, and libkdcraw (Qt-style interface to libraw, using embedded
copy) which is used by digikam.

Google Picasa apparently uses dcraw/ufraw so it might be affected.
dcraw's homepage has a list of applications that possibly still use
it:
http://cybercom.net/~dcoffin/dcraw/

Affected versions of libraw: confirmed: 0.8-0.15.3; but it is likely
that all versions are affected.

Fixed in: libraw 0.15.4

CVE-2013-1439:

Specially crafted photo files may trigger a series of conditions in
which a null pointer is dereferenced leading to denial of service in
applications using the library. These three vulnerabilities are
in/related to the 'faster LJPEG decoder', which upstream states was
introduced in LibRaw 0.13 and support for which is going to be dropped
in 0.16.

Affected versions of libraw: 0.13.x-0.15.x
-------------------------------------------------------------------------------
-
ChangeLog:

* Fri Aug 30 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.8-3
- Update to snapshot 98d925 to fix CVE-2013-1438,9, BZ 1002717.
* Wed May 29 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.8-2
- Patch for double free, CVE-2013-2126, BZ 968387.
* Wed May 29 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.8-1
- Latest upstream, fixes gcc 4.8 issues.
* Thu Apr 11 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.7-4
- Revert prior patch.
* Thu Apr 11 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.7-3
- Patch for segfault, BZ 948628.
* Wed Feb 13 2013 Fedora Release Engineering
<rel-eng@lists.fedoraproject.org> - 0.14.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Mon Nov 26 2012 Jon Ciesla <limburgher@gmail.com> - 0.14.7-1
- New upstream 0.14.7
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1002717 - CVE-2013-1439 CVE-2013-1438 LibRaw: multiple denial of
service flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1002717
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update LibRaw' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung