Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 730046 (CVE-2020-15365, CVE-2020-15503) - media-libs/libraw: Out of bounds write vulnerability (CVE-2020-{15365,15503})
Summary: media-libs/libraw: Out of bounds write vulnerability (CVE-2020-{15365,15503})
Status: RESOLVED INVALID
Alias: CVE-2020-15365, CVE-2020-15503
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/LibRaw/LibRaw/issu...
Whiteboard: A3 [upstream/ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-28 18:16 UTC by John Helmert III
Modified: 2020-07-12 20:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-28 18:16:22 UTC
Description:

LibRaw before 0.20-Beta3 has an out-of-bounds write in parse_exif() in metadata\exif_gps.cpp via an unrecognized AtomName and a zero value of tiff_nifds.


Maintainer, please bump.
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 07:25:47 UTC
Beta there is highly unstable, rather not.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 16:08:35 UTC
Reopening, changing to [upstream] since the upstream version is broken and won't be packaged
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-02 17:31:52 UTC
CVE-2020-15503:

LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.tlength.

Patch: https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-04 19:04:43 UTC
As per zlogene, these files don't exist in the version we have packaged in Gentoo. I guess the vulnerability was introduced in master at some point.
Comment 5 Vladimir Smirnov 2020-07-12 17:56:00 UTC
That's not true, if you'll read the CVE it doesn't have "min" version that was introduced.

Files are not in master because author did a refactoring and split the same code into multiple places. If you'll read the changgelog (https://www.libraw.org/news/libraw-0-20-rc1):
"dcraw_common.cpp and libraw_cxx.cpp are split into multiple code chunks placed in separate subfolders (decoders/ for raw data decoders, metadata/ for metadata parsers, etc)"


So I would say that it is safe to say that current libraw is vulnerable.

If then you would manually check the files in question in 0.19:
you can find the vulnurable function here:
https://github.com/LibRaw/LibRaw/blob/beeb572687270d49c16734c9ca620982151dbeff/src/libraw_cxx.cpp#L4235-L4241 and it's code is pretty much the same as it would be before the patch in current master.

mem_image file's function is here:
https://github.com/LibRaw/LibRaw/blob/beeb572687270d49c16734c9ca620982151dbeff/src/libraw_cxx.cpp#L3712-L3715


And function from thumb_utils is here:
https://github.com/LibRaw/LibRaw/blob/beeb572687270d49c16734c9ca620982151dbeff/src/libraw_cxx.cpp#L3976-L3981
Comment 6 Vladimir Smirnov 2020-07-12 20:05:23 UTC
Also some distros (RHEL/Fedora) backported the patch:
https://bugzilla.redhat.com/show_bug.cgi?id=1853477

Basically some one should have a look at the patch there and decide if it covers those CVEs. As the code was rearranged and support for some of the cameras are new to 0.20, so it would require some effort to backport and validate RHEL/Fedora approach
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-07-12 20:23:36 UTC
(In reply to Vladimir Smirnov from comment #6)
> Also some distros (RHEL/Fedora) backported the patch:
> https://bugzilla.redhat.com/show_bug.cgi?id=1853477
> 
> Basically some one should have a look at the patch there and decide if it
> covers those CVEs. As the code was rearranged and support for some of the
> cameras are new to 0.20, so it would require some effort to backport and
> validate RHEL/Fedora approach

As I told you in private cinversation it *may* fix one of two vulnerabilities, another is uncovered by distros at all. Will take a look later.