Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 549336 (CVE-2015-3885) - <media-gfx/dcraw-9.26.0: input sanitization errors (CVE-2015-3885)
Summary: <media-gfx/dcraw-9.26.0: input sanitization errors (CVE-2015-3885)
Status: RESOLVED FIXED
Alias: CVE-2015-3885
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-13 07:19 UTC by Agostino Sarubbo
Modified: 2017-01-23 03:35 UTC (History)
0 users

See Also:
Package list:
=media-gfx/dcraw-9.27.0
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-13 07:19:44 UTC
From ${URL} :

#2015-006 dcraw input sanitization errors

Description:

The dcraw photo decoder is an open source project for raw image parsing.

The dcraw tool, as well as several other projects re-using its code, suffers
from an integer overflow condition which lead to a buffer overflow. The
vulnerability concerns the 'len' variable, parsed without validation from
opened images, used in the ljpeg_start() function.

A maliciously crafted raw image file can be used to trigger the vulnerability,
causing a Denial of Service condition.

Affected version:

   dcraw >= 7.00
   UFRaw >= 0.5
   LibRaw <= 0.16.0, 0.17-Alpha2
   RawTherapee >= 3.0
   CxImage >= 6.00
   Rawstudio >= 0.1
   Kodi >= 10.0
   ExactImage >= 0.1.0

Fixed version:

   dcraw, N/A
   UFRaw, N/A
   LibRaw >= 0.16.1, 0.17-Alpha3
   RawTherapee, N/A
   CxImage, N/A
   Rawstudio, N/A
   Kodi, N/A
   ExactImage, N/A

Credit: vulnerability report from Eduardo Castellanos <guayin [at] gmail [dot]
com>.

CVE: N/A

Timeline:

2015-04-24: vulnerability report received
2015-04-27: contacted dcraw maintainer
2015-04-30: patch provided by maintainer
2015-05-04: reporter confirms patch
2015-05-11: contacted additional affected vendors
2015-05-11: advisory release

References:
https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e

Permalink:
http://www.ocert.org/advisories/ocert-2015-006.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:08:19 UTC
CVE-2015-3885 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3885):
  Integer overflow in the ljpeg_start function in dcraw 7.00 and earlier
  allows remote attackers to cause a denial of service (crash) via a crafted
  image, which triggers a buffer overflow, related to the len variable.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 17:01:28 UTC
@ Arches,

please test and mark stable: =media-gfx/dcraw-9.27.0
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-11-23 18:01:42 UTC
Stable on alpha.
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-25 18:28:58 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-11-25 18:55:46 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2016-11-29 17:32:41 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-01 12:45:25 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-03 10:39:39 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-11 10:37:58 UTC
sparc stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 12:32:57 UTC
Stable for HPPA.
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-17 14:26:11 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Markus Meier gentoo-dev 2017-01-17 17:09:21 UTC
vulnerable versions removed.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-01-18 08:15:09 UTC
New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-01-23 03:35:30 UTC
This issue was resolved and addressed in
 GLSA 201701-54 at https://security.gentoo.org/glsa/201701-54
by GLSA coordinator Aaron Bauman (b-man).