Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 482926 (CVE-2013-1438)

Summary: <media-libs/libraw-0.15.4 : two Denial of Service (CVE-2013-{1438,1439})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: graphics+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/08/29/3
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 481910    

Description Agostino Sarubbo gentoo-dev 2013-08-29 14:09:39 UTC
From ${URL} :

CVE-2013-1438:

Specially crafted photo files may trigger a division by zero, an
infinite loop, or a null pointer dereference in libraw leading to
denial of service in applications using the library.
These vulnerabilities appear to originate in dcraw and as such any
program or library based on it is affected. To name a few confirmed
applications: dcraw, ufraw. Other affected software: shotwell,
darktable, and libkdcraw (Qt-style interface to libraw, using embedded
copy) which is used by digikam.

Google Picasa apparently uses dcraw/ufraw so it might be affected.
dcraw's homepage has a list of applications that possibly still use
it:
http://cybercom.net/~dcoffin/dcraw/

Affected versions of libraw: confirmed: 0.8-0.15.3; but it is likely
that all versions are affected.

(not listing all the other applications as I'm only considering libraw
as the piece with CVE relevance, given the fact that it is a library.)

Fixed in: libraw 0.15.4

CVE-2013-1439:

Specially crafted photo files may trigger a series of conditions in
which a null pointer is dereferenced leading to denial of service in
applications using the library. These three vulnerabilities are
in/related to the 'faster LJPEG decoder', which upstream states was
introduced in LibRaw 0.13 and support for which is going to be dropped
in 0.16.

Affected versions of libraw: 0.13.x-0.15.x

Fixed in: libraw 0.15.4

Patches:
0.15.x:
https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad
Future 0.16.x:
https://github.com/LibRaw/LibRaw/commit/9ae25d8c3a6bfb40c582538193264f74c9b93bc0

(upstream decided to commit all fixes in a single commit. The missing
changes in the patch for 0.16 are the ones that correspond to
CVE-2013-4139. I.e. 0.16 patchset is CVE-2013-1438, while the 0.15
patchset is CVE-2013-4138 + CVE-2013-4139.)

Upstream states that there will be backported fixes for the 0.14
branch but there won't be any new release and "[they] should use
0.14-stable branch from github repo".



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Tim Harder gentoo-dev 2013-08-29 20:29:50 UTC
Arches, please stabilize:
=media-libs/libraw-0.15.4
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-29 22:32:40 UTC
no stable keywords for alpha/arm/ia64/sparc, why you CC it?
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-29 22:55:31 UTC
um. i'm look at bug  482544 and Pacho's comment. CC arches back, sorry
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-29 23:05:10 UTC
amd64/ppc/ppc64/x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-08-31 14:49:38 UTC
arm stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-31 15:53:43 UTC
sparc stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-31 16:47:17 UTC
alpha stable
Comment 8 Sergey Popov gentoo-dev 2013-09-02 08:27:51 UTC
GLSA vote: yes

we already have draft for libraw
Comment 9 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-02 13:44:33 UTC
GLSA vote: yes, added to GLSA draft. @maintainers: cleanup please.
Comment 10 Sergey Popov gentoo-dev 2013-09-12 09:03:20 UTC
Maintainer timeout: vulnerable versions are removed from tree
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-09-15 05:12:07 UTC
This issue was resolved and addressed in
 GLSA 201309-09 at http://security.gentoo.org/glsa/glsa-201309-09.xml
by GLSA coordinator Chris Reffett (creffett).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-09-17 22:35:30 UTC
CVE-2013-1439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1439):
  The "faster LJPEG decoder" in libraw 0.13.x, 0.14.x, and 0.15.x before
  0.15.4 allows context-dependent attackers cause a denial of service (NULL
  pointer dereference) via a crafted photo file.