Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 549340

Summary: <media-gfx/rawtherapee-4.2-r1: input sanitization errors (CVE-2015-3885)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: graphics+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2015/05/11/4
Whiteboard: ~2 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-05-13 07:24:06 UTC 
From ${URL} :

#2015-006 dcraw input sanitization errors

Description:

The dcraw photo decoder is an open source project for raw image parsing.

The dcraw tool, as well as several other projects re-using its code, suffers
from an integer overflow condition which lead to a buffer overflow. The
vulnerability concerns the 'len' variable, parsed without validation from
opened images, used in the ljpeg_start() function.

A maliciously crafted raw image file can be used to trigger the vulnerability,
causing a Denial of Service condition.

Affected version:

   dcraw >= 7.00
   UFRaw >= 0.5
   LibRaw <= 0.16.0, 0.17-Alpha2
   RawTherapee >= 3.0
   CxImage >= 6.00
   Rawstudio >= 0.1
   Kodi >= 10.0
   ExactImage >= 0.1.0

Fixed version:

   dcraw, N/A
   UFRaw, N/A
   LibRaw >= 0.16.1, 0.17-Alpha3
   RawTherapee, N/A
   CxImage, N/A
   Rawstudio, N/A
   Kodi, N/A
   ExactImage, N/A

Credit: vulnerability report from Eduardo Castellanos <guayin [at] gmail [dot]
com>.

CVE: N/A

Timeline:

2015-04-24: vulnerability report received
2015-04-27: contacted dcraw maintainer
2015-04-30: patch provided by maintainer
2015-05-04: reporter confirms patch
2015-05-11: contacted additional affected vendors
2015-05-11: advisory release

References:
https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e

Permalink:
http://www.ocert.org/advisories/ocert-2015-006.html



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-12-02 11:00:25 UTC 
No rdeps.  Please consider for tree cleaning.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-04 23:08:32 UTC 
CVE-2015-3885 (vulnerability in dcraw) was fixed by upstream in dcraw-9.26.0, see bug 549336.

Upstream updated to dcraw-9.27 via https://github.com/Beep6581/RawTherapee/commit/18243db5bafb63595fd561c89a7b7676483ef843 but didn't tagged a release yet.

Because upstream seems to be alive I requested a new release, see https://github.com/Beep6581/RawTherapee/issues/3521
Comment 3 DrSlony 2017-02-03 10:03:43 UTC 
This bug is obsolete. Can be closed.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-02-03 10:47:24 UTC 
(In reply to DrSlony from comment #3)
> This bug is obsolete. Can be closed.

why is it obsolete?
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2017-02-04 02:08:54 UTC 
@maintainer(s), please clean the vulnerable versions.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-02-22 10:27:59 UTC 
tree is clean.