793956 – (CVE-2020-24870) <media-libs/libraw-0.20.2: Buffer overread (CVE-2020-24870)

Bug 793956 (CVE-2020-24870) - <media-libs/libraw-0.20.2: Buffer overread (CVE-2020-24870)

Summary: <media-libs/libraw-0.20.2: Buffer overread (CVE-2020-24870)

Status:	RESOLVED FIXED

Alias:	CVE-2020-24870

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/LibRaw/LibRaw/issu...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2021-06-02 18:53 UTC by Sam James
Modified:	2022-08-10 04:21 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-06-02 18:53:14 UTC

Description:
"Libraw before 0.20.1 has a stack buffer overflow via LibRaw::identify_process_dng_fields in identify.cpp."

Comment 1 Larry the Git Cow gentoo-dev

2021-07-24 06:22:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f50281d24542eec7e9336689170314d24e13e83

commit 1f50281d24542eec7e9336689170314d24e13e83
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-07-24 06:12:25 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-07-24 06:21:40 +0000

    media-libs/libraw: drop 0.20.0
    
    Bug: https://bugs.gentoo.org/793956
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-libs/libraw/Manifest             |  1 -
 media-libs/libraw/libraw-0.20.0.ebuild | 62 ----------------------------------
 2 files changed, 63 deletions(-)

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:21:58 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:30:09 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:38:06 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:46:14 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:02:11 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:10:30 UTC

Package list is empty or all packages have requested keywords.

Comment 8 John Helmert III archtester

2022-08-09 23:00:31 UTC

GLSA request filed.

Comment 9 Larry the Git Cow gentoo-dev

2022-08-10 04:18:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=295e8cf0e4525d551c5cd7a97b5b356bf52dcaaa

commit 295e8cf0e4525d551c5cd7a97b5b356bf52dcaaa
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 04:06:16 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:16:27 +0000

    [ GLSA 202208-07 ] LibRaw: Stack buffer overread
    
    Bug: https://bugs.gentoo.org/793956
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-07.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

Comment 10 John Helmert III archtester

2022-08-10 04:21:56 UTC

GLSA released, all done!