Name : LibRaw Product : Fedora 18 Version : 0.14.8 Release : 3.fc18.20120830git98d925 URL : http://www.libraw.org Summary : Library for reading RAW files obtained from digital photo cameras Description : LibRaw is a library for reading RAW files obtained from digital photo cameras (CRW/CR2, NEF, RAF, DNG, and others).
LibRaw is based on the source codes of the dcraw utility, where part of drawbacks have already been eliminated and part will be fixed in future.
------------------------------------------------------------------------------- - Update Information:
Raphael Geissert reported two denial of service flaws in LibRaw [1]:
CVE-2013-1438:
Specially crafted photo files may trigger a division by zero, an
infinite loop, or a null pointer dereference in libraw leading to
denial of service in applications using the library.
These vulnerabilities appear to originate in dcraw and as such any
program or library based on it is affected. To name a few confirmed
applications: dcraw, ufraw. Other affected software: shotwell,
darktable, and libkdcraw (Qt-style interface to libraw, using embedded
copy) which is used by digikam.
Google Picasa apparently uses dcraw/ufraw so it might be affected.
dcraw's homepage has a list of applications that possibly still use
it:
http://cybercom.net/~dcoffin/dcraw/
Affected versions of libraw: confirmed: 0.8-0.15.3; but it is likely
that all versions are affected.
Fixed in: libraw 0.15.4
CVE-2013-1439:
Specially crafted photo files may trigger a series of conditions in
which a null pointer is dereferenced leading to denial of service in
applications using the library. These three vulnerabilities are
in/related to the 'faster LJPEG decoder', which upstream states was
introduced in LibRaw 0.13 and support for which is going to be dropped
in 0.16.
Affected versions of libraw: 0.13.x-0.15.x ------------------------------------------------------------------------------- - ChangeLog:
* Fri Aug 30 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.8-3 - Update to snapshot 98d925 to fix CVE-2013-1438,9, BZ 1002717. * Wed May 29 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.8-2 - Patch for double free, CVE-2013-2126, BZ 968387. * Wed May 29 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.8-1 - Latest upstream, fixes gcc 4.8 issues. * Thu Apr 11 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.7-4 - Revert prior patch. * Thu Apr 11 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.7-3 - Patch for segfault, BZ 948628. * Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.14.7-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild * Mon Nov 26 2012 Jon Ciesla <limburgher@gmail.com> - 0.14.7-1 - New upstream 0.14.7 ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #1002717 - CVE-2013-1439 CVE-2013-1438 LibRaw: multiple denial of service flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1002717 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update LibRaw' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|