From https://bugzilla.redhat.com/show_bug.cgi?id=1287076: It was found that phase_one_correct function does not handle memory object’s initialization correctly, which may have unspecified impact. Upstream patch: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 From https://bugzilla.redhat.com/show_bug.cgi?id=1287056: It was found that smal_decode_segment function do not handle index carefully, which may cause index overflow. Upstream patch: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Version bumped in tree that should fix this security issue. I'd say let's wait for a day or two before stabilizing. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=959e17fc23e79e2bf93a39524c1c102a07548aa5
No reported regressions so far, so I guess it should be okay to stabilize media-libs/libraw-0.17.1
@ Arches, please test and mark stable: =media-libs/libraw-0.17.2
Stable on alpha.
amd64 stable
x86 stable
arm stable
ppc stable
ppc64 stable
sparc stable
Stable for HPPA.
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
vulnerable versions removed.
GLSA request filed.
This issue was resolved and addressed in GLSA 201701-60 at https://security.gentoo.org/glsa/201701-60 by GLSA coordinator Aaron Bauman (b-man).