Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630842 (CVE-2017-14348) - <media-libs/libraw-0.18.4: heap-based Buffer Overflow via a crafted file
Summary: <media-libs/libraw-0.18.4: heap-based Buffer Overflow via a crafted file
Status: RESOLVED FIXED
Alias: CVE-2017-14348
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/LibRaw/LibRaw/issu...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-13735
  Show dependency tree
 
Reported: 2017-09-12 20:05 UTC by Aleksandr Wagner (Kivak)
Modified: 2017-10-08 21:21 UTC (History)
1 user (show)

See Also:
Package list:
=media-libs/libraw-0.18.4
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-09-12 20:05:50 UTC 
CVE-2017-14348 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14348):

LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCanonCameraInfo function via a crafted file. 

References:

https://github.com/LibRaw/LibRaw/issues/100


@Maintainer(s): After the version bump please let us know if it is ready for stabilization.
Comment 1 Tim Harder gentoo-dev 2017-09-13 03:41:49 UTC 
Fixed in 0.18.4 now in the tree, feel free to start stabilization.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-13 14:13:44 UTC 
@Maintainer please confirm if SLOT 0/15 is vulnerable.

@Arches please test and mark stable.

@Security please add cve to database.

Gentoo Security Padawan
ChrisADR
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-15 07:32:52 UTC 
ia64 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-15 15:39:12 UTC 
Stable on alpha.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-16 19:13:54 UTC 
hppa stable
Comment 6 Markus Meier gentoo-dev 2017-09-18 04:30:25 UTC 
arm stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 16:20:23 UTC 
ppc stable
Comment 8 Manuel Rüger (RETIRED) gentoo-dev 2017-09-26 22:45:20 UTC 
amd64 stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-29 23:10:03 UTC 
x86 stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-29 23:14:40 UTC 
Re-adding ppc64: Ebuild isn't marked stable for ppc64.
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-30 03:01:59 UTC 
Must have mixed ppc/ppc64. Thanks for catching that!

ppc64 stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-06 10:00:13 UTC 
sparc stable (thanks to Rolf Eike Beer)
Comment 13 Aleksandr Wagner (Kivak) 2017-10-06 10:28:15 UTC 
Stabilization has been complete, thank you arches.

@Maintainer(s): Please remove the vulnerable versions from the tree.
Comment 14 Tim Harder gentoo-dev 2017-10-08 21:16:15 UTC 
Old versions removed.
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2017-10-08 21:21:15 UTC 
GLSA Vote: No