Bug 694532 (CVE-2018-19655)

Summary:	<media-gfx/ufraw-0.22-r3: stack-based buffer overflow in find_green() function in dcraw.cc
Product:	Gentoo Security	Reporter:	Andreas Sturmlechner <asturm>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	Flags:	stable-bot: sanity-check+
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://nvd.nist.gov/vuln/detail/CVE-2018-19655
Whiteboard:	B3 [noglsa cve]
Package list:	media-gfx/ufraw-0.22-r3	Runtime testing required:	---

Description Andreas Sturmlechner gentoo-dev

2019-09-15 23:47:58 UTC

https://nvd.nist.gov/vuln/detail/CVE-2018-19655

A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file.


The same revbump also fixes CVE-2015-8366 (similar code as in libraw):

https://bugzilla.suse.com/show_bug.cgi?id=1006704&_ga=2.222701341.764034572.1568590622-1578955419.1534973316

Comment 1 Andreas Sturmlechner gentoo-dev

2019-10-04 12:45:38 UTC

Arches, please stabilise.

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-06 21:32:36 UTC

x86 stable

Comment 3 Agostino Sarubbo gentoo-dev

2019-10-07 08:43:53 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2019-10-07 09:48:46 UTC

ppc stable

Comment 5 Agostino Sarubbo gentoo-dev

2019-10-07 09:53:26 UTC

ppc64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2019-10-07 10:44:49 UTC

sparc stable

Comment 7 Agostino Sarubbo gentoo-dev

2019-10-07 10:49:38 UTC

ia64 stable

Comment 8 Matt Turner gentoo-dev

2019-10-14 02:46:18 UTC

alpha keywords dropped to unstable

Comment 9 Mikle Kolyada (RETIRED) archtester

2019-11-01 10:20:46 UTC

arm stable

Comment 10 Mikle Kolyada (RETIRED) archtester

2019-11-01 10:23:09 UTC

GLSA vote: no