From ${URL} : CVE-2013-1438: Specially crafted photo files may trigger a division by zero, an infinite loop, or a null pointer dereference in libraw leading to denial of service in applications using the library. These vulnerabilities appear to originate in dcraw and as such any program or library based on it is affected. To name a few confirmed applications: dcraw, ufraw. Other affected software: shotwell, darktable, and libkdcraw (Qt-style interface to libraw, using embedded copy) which is used by digikam. Google Picasa apparently uses dcraw/ufraw so it might be affected. dcraw's homepage has a list of applications that possibly still use it: http://cybercom.net/~dcoffin/dcraw/ Affected versions of libraw: confirmed: 0.8-0.15.3; but it is likely that all versions are affected. (not listing all the other applications as I'm only considering libraw as the piece with CVE relevance, given the fact that it is a library.) Fixed in: libraw 0.15.4 CVE-2013-1439: Specially crafted photo files may trigger a series of conditions in which a null pointer is dereferenced leading to denial of service in applications using the library. These three vulnerabilities are in/related to the 'faster LJPEG decoder', which upstream states was introduced in LibRaw 0.13 and support for which is going to be dropped in 0.16. Affected versions of libraw: 0.13.x-0.15.x Fixed in: libraw 0.15.4 Patches: 0.15.x: https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad Future 0.16.x: https://github.com/LibRaw/LibRaw/commit/9ae25d8c3a6bfb40c582538193264f74c9b93bc0 (upstream decided to commit all fixes in a single commit. The missing changes in the patch for 0.16 are the ones that correspond to CVE-2013-4139. I.e. 0.16 patchset is CVE-2013-1438, while the 0.15 patchset is CVE-2013-4138 + CVE-2013-4139.) Upstream states that there will be backported fixes for the 0.14 branch but there won't be any new release and "[they] should use 0.14-stable branch from github repo". @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Arches, please stabilize: =media-libs/libraw-0.15.4
no stable keywords for alpha/arm/ia64/sparc, why you CC it?
um. i'm look at bug 482544 and Pacho's comment. CC arches back, sorry
amd64/ppc/ppc64/x86 stable
arm stable
sparc stable
alpha stable
GLSA vote: yes we already have draft for libraw
GLSA vote: yes, added to GLSA draft. @maintainers: cleanup please.
Maintainer timeout: vulnerable versions are removed from tree
This issue was resolved and addressed in GLSA 201309-09 at http://security.gentoo.org/glsa/glsa-201309-09.xml by GLSA coordinator Chris Reffett (creffett).
CVE-2013-1439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1439): The "faster LJPEG decoder" in libraw 0.13.x, 0.14.x, and 0.15.x before 0.15.4 allows context-dependent attackers cause a denial of service (NULL pointer dereference) via a crafted photo file.