Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 694532 (CVE-2018-19655) - <media-gfx/ufraw-0.22-r3: stack-based buffer overflow in find_green() function in dcraw.cc
Summary: <media-gfx/ufraw-0.22-r3: stack-based buffer overflow in find_green() functio...
Status: RESOLVED FIXED
Alias: CVE-2018-19655
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-15 23:47 UTC by Andreas Sturmlechner
Modified: 2019-11-01 10:23 UTC (History)
0 users

See Also:
Package list:
media-gfx/ufraw-0.22-r3
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Sturmlechner gentoo-dev 2019-09-15 23:47:58 UTC 
https://nvd.nist.gov/vuln/detail/CVE-2018-19655

A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file.


The same revbump also fixes CVE-2015-8366 (similar code as in libraw):

https://bugzilla.suse.com/show_bug.cgi?id=1006704&_ga=2.222701341.764034572.1568590622-1578955419.1534973316
Comment 1 Andreas Sturmlechner gentoo-dev 2019-10-04 12:45:38 UTC 
Arches, please stabilise.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-06 21:32:36 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-10-07 08:43:53 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-10-07 09:48:46 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-10-07 09:53:26 UTC 
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-07 10:44:49 UTC 
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-10-07 10:49:38 UTC 
ia64 stable
Comment 8 Matt Turner gentoo-dev 2019-10-14 02:46:18 UTC 
alpha keywords dropped to unstable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-01 10:20:46 UTC 
arm stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-01 10:23:09 UTC 
GLSA vote: no