Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630842 (CVE-2017-14348)

Summary: <media-libs/libraw-0.18.4: heap-based Buffer Overflow via a crafted file
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/LibRaw/LibRaw/issues/100
Whiteboard: B3 [noglsa cve]
Package list:
=media-libs/libraw-0.18.4
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 629280    

Description Aleksandr Wagner (Kivak) 2017-09-12 20:05:50 UTC
CVE-2017-14348 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14348):

LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCanonCameraInfo function via a crafted file. 

References:

https://github.com/LibRaw/LibRaw/issues/100


@Maintainer(s): After the version bump please let us know if it is ready for stabilization.
Comment 1 Tim Harder gentoo-dev 2017-09-13 03:41:49 UTC
Fixed in 0.18.4 now in the tree, feel free to start stabilization.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-13 14:13:44 UTC
@Maintainer please confirm if SLOT 0/15 is vulnerable.

@Arches please test and mark stable.

@Security please add cve to database.

Gentoo Security Padawan
ChrisADR
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-15 07:32:52 UTC
ia64 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-15 15:39:12 UTC
Stable on alpha.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-16 19:13:54 UTC
hppa stable
Comment 6 Markus Meier gentoo-dev 2017-09-18 04:30:25 UTC
arm stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 16:20:23 UTC
ppc stable
Comment 8 Manuel Rüger (RETIRED) gentoo-dev 2017-09-26 22:45:20 UTC
amd64 stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-29 23:10:03 UTC
x86 stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-29 23:14:40 UTC
Re-adding ppc64: Ebuild isn't marked stable for ppc64.
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-30 03:01:59 UTC
Must have mixed ppc/ppc64. Thanks for catching that!

ppc64 stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-06 10:00:13 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 13 Aleksandr Wagner (Kivak) 2017-10-06 10:28:15 UTC
Stabilization has been complete, thank you arches.

@Maintainer(s): Please remove the vulnerable versions from the tree.
Comment 14 Tim Harder gentoo-dev 2017-10-08 21:16:15 UTC
Old versions removed.
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2017-10-08 21:21:15 UTC
GLSA Vote: No