Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 549342

Summary: <media-tv/kodi-16.1: input sanitization errors (CVE-2015-3885)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: candrews, proxy-maint, vapier, xbox
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2015/05/11/4
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-05-13 07:34:27 UTC
From ${URL} :

#2015-006 dcraw input sanitization errors

Description:

The dcraw photo decoder is an open source project for raw image parsing.

The dcraw tool, as well as several other projects re-using its code, suffers
from an integer overflow condition which lead to a buffer overflow. The
vulnerability concerns the 'len' variable, parsed without validation from
opened images, used in the ljpeg_start() function.

A maliciously crafted raw image file can be used to trigger the vulnerability,
causing a Denial of Service condition.

Affected version:

   dcraw >= 7.00
   UFRaw >= 0.5
   LibRaw <= 0.16.0, 0.17-Alpha2
   RawTherapee >= 3.0
   CxImage >= 6.00
   Rawstudio >= 0.1
   Kodi >= 10.0
   ExactImage >= 0.1.0

Fixed version:

   dcraw, N/A
   UFRaw, N/A
   LibRaw >= 0.16.1, 0.17-Alpha3
   RawTherapee, N/A
   CxImage, N/A
   Rawstudio, N/A
   Kodi, N/A
   ExactImage, N/A

Credit: vulnerability report from Eduardo Castellanos <guayin [at] gmail [dot]
com>.

CVE: N/A

Timeline:

2015-04-24: vulnerability report received
2015-04-27: contacted dcraw maintainer
2015-04-30: patch provided by maintainer
2015-05-04: reporter confirms patch
2015-05-11: contacted additional affected vendors
2015-05-11: advisory release

References:
https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e

Permalink:
http://www.ocert.org/advisories/ocert-2015-006.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Craig Andrews gentoo-dev 2017-06-06 15:15:51 UTC
Fixed in Kodi 16.0: https://github.com/xbmc/xbmc/pull/7141

Since 17.2 is currently the stable version, I think we're all set.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-06-06 16:37:11 UTC
Added to an existing GLSA.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-06-20 17:20:41 UTC
This issue was resolved and addressed in
 GLSA 201706-17 at https://security.gentoo.org/glsa/201706-17
by GLSA coordinator Kristian Fiskerstrand (K_F).