Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 471694 (CVE-2013-2126) - <media-libs/libraw-0.15.2, <kde-base/libkdcraw-4.10.5-r1: Double-Free and Buffer Overflow Vulnerabilities (CVE-2013-{2126,2127})
Summary: <media-libs/libraw-0.15.2, <kde-base/libkdcraw-4.10.5-r1: Double-Free and Buf...
Status: RESOLVED FIXED
Alias: CVE-2013-2126
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/53547/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-29 12:27 UTC by Agostino Sarubbo
Modified: 2013-09-15 05:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-05-29 12:27:57 UTC
From ${URL} :

Description
Two vulnerabilities have been reported in LibRaw, which can be exploited by malicious people to potentially compromise an application using the 
library.

1) A double-free error exits when handling damaged full-color within Foveon and sRAW files.

2) An error during exposure correction can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in the following products and versions:
* LibRaw versions prior to 0.15.2.
* LibRaw-demosaic-pack-GPL2 versions prior to 0.15.2.
* LibRaw-demosaic-pack-GPL3 versions prior to 0.15.2.


Solution
Update to version 0.15.2.

Provided and/or discovered by
Reported by the vendor.

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://www.libraw.org/news/libraw-0-15-1
http://www.libraw.org/news/libraw-0-15-2



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2013-06-11 21:35:00 UTC
I'm pretty sure this also affects kde-base/libkdcraw (all versions), since it contains copied code. Fix at earliest expected with kde-4.11.0
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2013-06-11 21:38:52 UTC
(In reply to Andreas K. Hüttel from comment #1)
> I'm pretty sure this also affects kde-base/libkdcraw (all versions), since
> it contains copied code. Fix at earliest expected with kde-4.11.0

Confirmed. Current git KDE/4.10 (equal libkdcraw-4.10.4) contains LibRaw 0.15.0-Beta1
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-02 21:20:33 UTC
Marking as upstream while we wait for KDE 4.11. Perhaps we should split this into two bugs since we can stable & clean libraw while we wait for KDE?
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2013-07-02 22:36:12 UTC
For the record, libkdcraw-4.10.90 (i.e. 4.10-beta2) contains libraw-0.15.2, meaning the issue is fixed there.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2013-07-04 21:59:40 UTC
Starting from 4.10.5-r1 and 4.10.90-r1, we unbundle libraw in libkdcraw, meaning these versions are not affected anymore if the system library is uptodate.
Comment 6 Michael Palimaka (kensington) gentoo-dev 2013-08-20 15:31:33 UTC
kde-base/libkdcraw-4.10.5-r1 is stable, so there are no affected versions of this package in the tree.
media-libs/libraw-0.15.2 is stable, but there are two earlier affected versions still in the tree.
Comment 7 Sergey Popov gentoo-dev 2013-08-21 06:33:32 UTC
Thanks for you work.

New GLSA request filed
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 01:37:18 UTC
CVE-2013-2127 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2127):
  Buffer overflow in the exposure correction code in LibRaw before 0.15.1
  allows context-dependent attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via unspecified vectors.

CVE-2013-2126 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2126):
  Multiple double free vulnerabilities in the LibRaw::unpack function in
  libraw_cxx.cpp in LibRaw before 0.15.2 allow context-dependent attackers to
  cause a denial of service (application crash) and possibly execute arbitrary
  code via a malformed full-color (1) Foveon or (2) sRAW image file.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-09-15 05:12:06 UTC
This issue was resolved and addressed in
 GLSA 201309-09 at http://security.gentoo.org/glsa/glsa-201309-09.xml
by GLSA coordinator Chris Reffett (creffett).