Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 744190 (CVE-2020-24889, CVE-2020-24890) - <media-libs/libraw-0.20.0: Multiple vulnerabilities (CVE-2020-{24889,24890})
Summary: <media-libs/libraw-0.20.0: Multiple vulnerabilities (CVE-2020-{24889,24890})
Status: RESOLVED FIXED
Alias: CVE-2020-24889, CVE-2020-24890
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-23 03:13 UTC by Sam James
Modified: 2020-11-13 18:38 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/libraw-0.20.0
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-09-23 03:13:14 UTC
* CVE-2020-24889

Description:
"A buffer overflow vulnerability in LibRaw version < 20.0 LibRaw::GetNormalizedModel in src/metadata/normalize_model.cpp may lead to context-dependent arbitrary code execution."

Bug: https://github.com/LibRaw/LibRaw/issues/334

* CVE-2020-24890

Description:
"libraw 20.0 has a null pointer dereference vulnerability in parse_tiff_ifd in src/metadata/tiff.cpp, which may result in context-dependent arbitrary code execution."

Bug: https://github.com/LibRaw/LibRaw/issues/335
Comment 1 Sam James archtester gentoo-dev Security 2020-09-23 03:15:39 UTC
I'm not even sure if 24890 is valid given "This is compiler error[...]" and the same patch gets linked both times.

But the first one seems to be, so is it ready to stable if you agree the second one is invalid?
Comment 2 NATTkA bot gentoo-dev 2020-09-25 20:52:48 UTC
Unable to check for sanity:

> no match for package: media-libs/libraw-20.0
Comment 3 Sam James archtester gentoo-dev Security 2020-09-29 00:02:23 UTC
arm64 stable
Comment 4 Rolf Eike Beer 2020-09-30 05:32:06 UTC
sparc stable
Comment 5 Sergei Trofimovich gentoo-dev 2020-10-02 10:03:03 UTC
ppc/ppc64 stable
Comment 6 Sam James archtester gentoo-dev Security 2020-10-02 22:15:32 UTC
arm done
Comment 7 Sam James archtester gentoo-dev Security 2020-10-03 15:15:45 UTC
x86 done
Comment 8 Sam James archtester gentoo-dev Security 2020-10-03 15:51:54 UTC
amd64 done

all arches done
Comment 9 Sam James archtester gentoo-dev Security 2020-10-03 15:55:03 UTC
amd64 done

all arches done
Comment 10 Sam James archtester gentoo-dev Security 2020-10-03 15:56:49 UTC
Please cleanup.
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-10-04 14:18:28 UTC
Cleaned.
Comment 12 Sam James archtester gentoo-dev Security 2020-11-13 18:38:57 UTC
https://security.gentoo.org/glsa/202010-05