Bug 10346

Summary: libraw new security issue CVE-2013-2126
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: jani.valimaa, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/553302/
See Also: https://bugs.mageia.org/show_bug.cgi?id=10427
https://bugs.mageia.org/show_bug.cgi?id=10428
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok mga3-32-ok
Source RPM: libraw-0.14.7-5.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-05-29 15:54:34 CEST 
Upstream has released 0.15.2, fixing two security issues:
http://www.libraw.org/news/libraw-0-15-1
http://www.libraw.org/news/libraw-0-15-2
http://secunia.com/advisories/53547/

CVEs have been requested but not assigned yet.  Links to upstream commits:
http://openwall.com/lists/oss-security/2013/05/29/1

Jani has already updated to 0.15.2 in Cauldron to fix this there.

Reproducible: 

Steps to Reproduce:
David Walser 2013-05-29 15:55:00 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 Jani Välimaa 2013-05-29 16:31:08 CEST 
I guess we'll need to backport those fixes for versions in mga2 and mga3 as 0.15.2 comes with new libmajor.

I'll check if we could backport those fixes or if other distors already have patches.
Comment 2 David Walser 2013-05-29 16:49:29 CEST 
Thanks.  It may not turn up in other distros until CVEs are assigned, so I'll let you know when that happens.
Comment 3 David Walser 2013-05-29 22:36:00 CEST 
CVEs have been assigned:
http://openwall.com/lists/oss-security/2013/05/29/7

Summary: libraw new security issues fixed in 0.15.2 => libraw new security issues CVE-2013-2126 and CVE-2013-2127

Comment 4 Jani Välimaa 2013-06-01 22:54:36 CEST 
Seems like CVE-2013-2127 isn't a problem as 0.14.x versions aren't affected: https://bugzilla.redhat.com/show_bug.cgi?id=968382#c5

CVE-2013-2126 is fixed in upstream:
https://github.com/LibRaw/LibRaw/commit/c14ae36d

I'll apply the patch for CVE-2013-2126.
David Walser 2013-06-01 23:03:36 CEST

Summary: libraw new security issues CVE-2013-2126 and CVE-2013-2127 => libraw new security issue CVE-2013-2126

Comment 5 David Walser 2013-06-01 23:05:00 CEST 
Thanks, so this is the only relevant one:
http://www.libraw.org/news/libraw-0-15-2
Comment 6 Jani Välimaa 2013-06-01 23:16:58 CEST 
Pushed new releases to fix CVE-2013-2126 to core/updates_testing.

For mga2: libraw-0.14.5-1.1.mga2
For mga3: libraw-0.14.7-5.1.mga3
Comment 7 David Walser 2013-06-02 00:11:53 CEST 
Thanks Jani!

Advisory:
========================

Updated libraw packages fix security vulnerability:

A double-free error exits when handling damaged full-color within Foveon and
sRAW files in libraw before 0.15.2 (CVE-2013-2126).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2126
http://secunia.com/advisories/53547/
http://www.libraw.org/news/libraw-0-15-2
========================

Updated packages in core/updates_testing:
========================
libraw-tools-0.14.5-1.1.mga2
libraw5-0.14.5-1.1.mga2
libraw_r5-0.14.5-1.1.mga2
libraw-devel-0.14.5-1.1.mga2
libraw-tools-0.14.7-5.1.mga3
libraw5-0.14.7-5.1.mga3
libraw_r5-0.14.7-5.1.mga3
libraw-devel-0.14.7-5.1.mga3

from SRPMS:
libraw-0.14.5-1.1.mga2.src.rpm
libraw-0.14.7-5.1.mga3.src.rpm

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs
Severity: normal => major

Comment 8 claire robinson 2013-06-03 12:15:33 CEST 
No PoC's so just checking it installs ok and some of the tools work ok from..

$ urpmf libraw-tools | grep bin

Note to new testers: When testing lib's on a 64bit machine the actual library, in this case libraw5 or libraw_r5 above, will be lib64raw5 & lib64raw_r5.
Comment 9 claire robinson 2013-06-03 12:32:16 CEST 
Testing complete mga3 64

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok

Comment 10 claire robinson 2013-06-03 13:03:03 CEST 
Testing complete mga2 32 & 64

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok

Comment 11 claire robinson 2013-06-03 13:29:00 CEST 
Testing complete mga3 32

Validating

Advisory & srpms for Mageia 2 & 3 in comment 7

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

David Walser 2013-06-04 17:30:56 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=10427

David Walser 2013-06-04 17:31:00 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=10428

Comment 12 Nicolas Vigier 2013-06-06 21:43:42 CEST 
Packages have been pushed to updates.

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

David Walser 2013-06-07 18:56:17 CEST

URL: (none) => http://lwn.net/Vulnerabilities/553302/

Nicolas Vigier 2014-05-08 18:06:52 CEST

CC: boklm => (none)