* CVE-2020-24889 Description: "A buffer overflow vulnerability in LibRaw version < 20.0 LibRaw::GetNormalizedModel in src/metadata/normalize_model.cpp may lead to context-dependent arbitrary code execution." Bug: https://github.com/LibRaw/LibRaw/issues/334 * CVE-2020-24890 Description: "libraw 20.0 has a null pointer dereference vulnerability in parse_tiff_ifd in src/metadata/tiff.cpp, which may result in context-dependent arbitrary code execution." Bug: https://github.com/LibRaw/LibRaw/issues/335
I'm not even sure if 24890 is valid given "This is compiler error[...]" and the same patch gets linked both times. But the first one seems to be, so is it ready to stable if you agree the second one is invalid?
Unable to check for sanity: > no match for package: media-libs/libraw-20.0
arm64 stable
sparc stable
ppc/ppc64 stable
arm done
x86 done
amd64 done all arches done
Please cleanup.
Cleaned.
https://security.gentoo.org/glsa/202010-05