673740 – (CVE-2018-20363, CVE-2018-20364, CVE-2018-20365) <media-libs/libraw-0.19.2: multiple vulnerabilities

Bug 673740 (CVE-2018-20363, CVE-2018-20364, CVE-2018-20365) - <media-libs/libraw-0.19.2: multiple vulnerabilities

Summary: <media-libs/libraw-0.19.2: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2018-20363, CVE-2018-20364, CVE-2018-20365

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.securityfocus.com/bid/106...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-12-26 06:20 UTC by Melissa Mcdonald
Modified:	2019-08-11 01:07 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	media-libs/libraw-0.19.3
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Melissa Mcdonald 2018-12-26 06:20:50 UTC

LibRAW is prone to the following security vulnerabilities:

1. Multiple denial-of-service vulnerabilities.
2. A heap-based buffer-overflow vulnerability.

An attacker can exploit these issues to cause denial-of-service conditions.

LibRaw version 0.19.1 is vulnerable.

Comment 1 Yury German Gentoo Infrastructure

2019-04-27 20:46:00 UTC

Maintainer(s), please advise if the current stabilization of bug #641648, solves this problem.

Comment 2 Andreas Sturmlechner gentoo-dev

2019-07-10 19:42:07 UTC

Arches please stabilise.

Comment 3 Agostino Sarubbo gentoo-dev

2019-07-11 09:15:02 UTC

amd64 stable

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2019-07-14 10:04:23 UTC

ia64 stable

Comment 5 ernsteiswuerfel archtester

2019-07-15 15:01:57 UTC

Looking good on ppc64.

rdep failing: media-libs/gegl (bug #686202)

# cat libraw-673740.report 
USE tests started on Mo 15. Jul 16:03:24 CEST 2019

FEATURES=' test' USE='' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg -lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg -lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples jpeg -lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg -lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg lcms openmp' succeeded for =media-libs/libraw-0.19.3

revdep tests started on Mo 15. Jul 16:27:46 CEST 2019

FEATURES=' test' USE='raw' succeeded for media-gfx/imagemagick
USE='raw' FEATURES=' test' failed for media-libs/gegl

Comment 6 ernsteiswuerfel archtester

2019-07-16 11:53:42 UTC

Looking good on ppc.

rdep failing: media-libs/gegl (bug #686202)

# cat libraw-673740.report 
USE tests started on Di 16. Jul 10:04:44 CEST 2019

FEATURES=' test' USE='' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg -lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples -jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg lcms -openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg -lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples -jpeg lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='-examples jpeg lcms openmp' succeeded for =media-libs/libraw-0.19.3
USE='examples jpeg lcms openmp' succeeded for =media-libs/libraw-0.19.3

revdep tests started on Di 16. Jul 12:36:44 CEST 2019

FEATURES=' test' USE='raw' succeeded for media-gfx/imagemagick
USE='raw' FEATURES=' test' failed for media-libs/gegl

Comment 7 Agostino Sarubbo gentoo-dev

2019-07-17 13:59:44 UTC

x86 stable

Comment 8 Agostino Sarubbo gentoo-dev

2019-07-18 09:57:53 UTC

ppc stable

Comment 9 Agostino Sarubbo gentoo-dev

2019-07-18 10:02:04 UTC

ppc64 stable

Comment 10 Agostino Sarubbo gentoo-dev

2019-07-18 10:03:59 UTC

alpha stable

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2019-07-21 16:05:53 UTC

arm64 stable

Comment 12 Mikle Kolyada (RETIRED) archtester

2019-07-28 11:02:23 UTC

arm stable

Comment 13 Larry the Git Cow gentoo-dev

2019-07-28 11:24:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f81b99e85368d4162d8e25da47e839247aa843a

commit 9f81b99e85368d4162d8e25da47e839247aa843a
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-07-28 11:18:47 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-07-28 11:23:31 +0000

    media-libs/libraw: Security cleanup
    
    Bug: https://bugs.gentoo.org/673740
    Closes: https://bugs.gentoo.org/679512
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/libraw/Manifest              |  4 --
 media-libs/libraw/libraw-0.18.13.ebuild | 66 ---------------------------------
 media-libs/libraw/libraw-0.19.2.ebuild  | 61 ------------------------------
 media-libs/libraw/metadata.xml          |  3 --
 4 files changed, 134 deletions(-)