Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 673740 (CVE-2018-20363, CVE-2018-20364, CVE-2018-20365) - <media-libs/libraw-0.19.2: multiple vulnerabilities
Summary: <media-libs/libraw-0.19.2: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-20363, CVE-2018-20364, CVE-2018-20365
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.securityfocus.com/bid/106...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-26 06:20 UTC by Melissa Mcdonald
Modified: 2019-08-11 01:07 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/libraw-0.19.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Melissa Mcdonald 2018-12-26 06:20:50 UTC
LibRAW is prone to the following security vulnerabilities:

1. Multiple denial-of-service vulnerabilities.
2. A heap-based buffer-overflow vulnerability.

An attacker can exploit these issues to cause denial-of-service conditions.

LibRaw version 0.19.1 is vulnerable.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 20:46:00 UTC
Maintainer(s), please advise if the current stabilization of bug #641648, solves this problem.
Comment 2 Andreas Sturmlechner gentoo-dev 2019-07-10 19:42:07 UTC
Arches please stabilise.
Comment 3 Agostino Sarubbo gentoo-dev 2019-07-11 09:15:02 UTC
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2019-07-14 10:04:23 UTC
ia64 stable
Comment 5 ernsteiswuerfel archtester 2019-07-15 15:01:57 UTC
Looking good on ppc64.

rdep failing: media-libs/gegl (bug #686202)

# cat libraw-673740.report 
USE tests started on Mo 15. Jul 16:03:24 CEST 2019

FEATURES=' test' USE='' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg -lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg -lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples jpeg -lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg -lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg lcms openmp' succeeded for =media-libs/libraw-0.19.3

revdep tests started on Mo 15. Jul 16:27:46 CEST 2019

FEATURES=' test' USE='raw' succeeded for media-gfx/imagemagick
USE='raw' FEATURES=' test' failed for media-libs/gegl
Comment 6 ernsteiswuerfel archtester 2019-07-16 11:53:42 UTC
Looking good on ppc.

rdep failing: media-libs/gegl (bug #686202)

# cat libraw-673740.report 
USE tests started on Di 16. Jul 10:04:44 CEST 2019

FEATURES=' test' USE='' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg -lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples jpeg lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg lcms openmp' succeeded for =media-libs/libraw-0.19.3

revdep tests started on Di 16. Jul 12:36:44 CEST 2019

FEATURES=' test' USE='raw' succeeded for media-gfx/imagemagick
USE='raw' FEATURES=' test' failed for media-libs/gegl
Comment 7 Agostino Sarubbo gentoo-dev 2019-07-17 13:59:44 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-07-18 09:57:53 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-07-18 10:02:04 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-07-18 10:03:59 UTC
alpha stable
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2019-07-21 16:05:53 UTC
arm64 stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-07-28 11:02:23 UTC
arm stable
Comment 13 Larry the Git Cow gentoo-dev 2019-07-28 11:24:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f81b99e85368d4162d8e25da47e839247aa843a

commit 9f81b99e85368d4162d8e25da47e839247aa843a
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-07-28 11:18:47 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-07-28 11:23:31 +0000

    media-libs/libraw: Security cleanup
    
    Bug: https://bugs.gentoo.org/673740
    Closes: https://bugs.gentoo.org/679512
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/libraw/Manifest              |  4 --
 media-libs/libraw/libraw-0.18.13.ebuild | 66 ---------------------------------
 media-libs/libraw/libraw-0.19.2.ebuild  | 61 ------------------------------
 media-libs/libraw/metadata.xml          |  3 --
 4 files changed, 134 deletions(-)