549340 – <media-gfx/rawtherapee-4.2-r1: input sanitization errors (CVE-2015-3885)

Bug 549340 - <media-gfx/rawtherapee-4.2-r1: input sanitization errors (CVE-2015-3885)

Summary: <media-gfx/rawtherapee-4.2-r1: input sanitization errors (CVE-2015-3885)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	~2 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2015-05-13 07:24 UTC by Agostino Sarubbo
Modified:	2017-02-22 10:27 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2015-05-13 07:24:06 UTC

From ${URL} :

#2015-006 dcraw input sanitization errors

Description:

The dcraw photo decoder is an open source project for raw image parsing.

The dcraw tool, as well as several other projects re-using its code, suffers
from an integer overflow condition which lead to a buffer overflow. The
vulnerability concerns the 'len' variable, parsed without validation from
opened images, used in the ljpeg_start() function.

A maliciously crafted raw image file can be used to trigger the vulnerability,
causing a Denial of Service condition.

Affected version:

   dcraw >= 7.00
   UFRaw >= 0.5
   LibRaw <= 0.16.0, 0.17-Alpha2
   RawTherapee >= 3.0
   CxImage >= 6.00
   Rawstudio >= 0.1
   Kodi >= 10.0
   ExactImage >= 0.1.0

Fixed version:

   dcraw, N/A
   UFRaw, N/A
   LibRaw >= 0.16.1, 0.17-Alpha3
   RawTherapee, N/A
   CxImage, N/A
   Rawstudio, N/A
   Kodi, N/A
   ExactImage, N/A

Credit: vulnerability report from Eduardo Castellanos <guayin [at] gmail [dot]
com>.

CVE: N/A

Timeline:

2015-04-24: vulnerability report received
2015-04-27: contacted dcraw maintainer
2015-04-30: patch provided by maintainer
2015-05-04: reporter confirms patch
2015-05-11: contacted additional affected vendors
2015-05-11: advisory release

References:
https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e

Permalink:
http://www.ocert.org/advisories/ocert-2015-006.html



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2016-12-02 11:00:25 UTC

No rdeps.  Please consider for tree cleaning.

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-04 23:08:32 UTC

CVE-2015-3885 (vulnerability in dcraw) was fixed by upstream in dcraw-9.26.0, see bug 549336.

Upstream updated to dcraw-9.27 via https://github.com/Beep6581/RawTherapee/commit/18243db5bafb63595fd561c89a7b7676483ef843 but didn't tagged a release yet.

Because upstream seems to be alive I requested a new release, see https://github.com/Beep6581/RawTherapee/issues/3521

Comment 3 DrSlony 2017-02-03 10:03:43 UTC

This bug is obsolete. Can be closed.

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2017-02-03 10:47:24 UTC

(In reply to DrSlony from comment #3)
> This bug is obsolete. Can be closed.

why is it obsolete?

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2017-02-04 02:08:54 UTC

@maintainer(s), please clean the vulnerable versions.

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2017-02-22 10:27:59 UTC

tree is clean.