| Summary: | libraw, libkdcraw, darktable, xbmc, rawtherapee, dcraw, ufraw new security issues CVE-2013-1438 and CVE-2013-1439 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Mageia Bug Squad <bugsquad> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | anssi.hannula, balcaen.john, fundawang, jani.valimaa, mageia, mageia |
| Version: | 4 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/566156/ | ||
| Whiteboard: | MGA3TOO | ||
| Source RPM: | libraw-0.14.7-5.mga3.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 11376, 12074, 12125, 12613, 12692, 12693 | ||
| Bug Blocks: | |||
|
Description
David Walser
2013-09-04 03:07:29 CEST
David Walser
2013-09-04 03:08:14 CEST
CC:
(none) =>
balcaen.john, jani.valimaa, lmenut, mageia, nicolas.lecureuil Fedora has issued an advisory for libraw on August 30: https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115367.html URL:
(none) =>
http://lwn.net/Vulnerabilities/566156/ Ubuntu has issued an advisory for libkdcraw on September 30: http://www.ubuntu.com/usn/usn-1978-1/ Judging from this, xbmc and rawtherapee may also be affected: http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1438.html CC:
(none) =>
anssi.hannula, fundawang
David Walser
2013-10-04 19:32:13 CEST
Severity:
normal =>
major
David Walser
2013-10-04 19:39:56 CEST
Depends on:
(none) =>
11376
David Walser
2013-11-21 23:05:17 CET
Blocks:
(none) =>
11726 Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/ Whiteboard:
MGA3TOO, MGA2TOO =>
MGA3TOO set as mga3 only. Blocks:
11726 =>
(none) This hasn't been fully addressed in Cauldron yet. Blocks:
(none) =>
11726 Fedora has issued advisories for dcraw and ufraw on December 7: https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124176.html https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124183.html
Luc Menut
2013-12-22 01:03:37 CET
Depends on:
(none) =>
12074 libkdcraw: - Cauldron: fixed with libkdcraw-4.11.4-2.mga4 http://svnweb.mageia.org/packages?view=revision&revision=559662 - Mga 3: fixed with libkdcraw-4.10.5-1.2.mga3 in updates_testing http://svnweb.mageia.org/packages?view=revision&revision=559670 security update request: bug 12074
David Walser
2013-12-27 14:46:06 CET
Depends on:
(none) =>
12125 dcraw and ufraw have now been fixed in: dcraw-9.19-3.mga4 ufraw-0.19.2-5.mga4 dcraw-9.19-1.mga3 ufraw-0.19.2-5.mga3 I haven't seen patches out there for the other affected packages, so I don't anticipate being able to fix them before Mageia 4, if at all. Therefore, removing from the security updates tracker for Mageia 4. Blocks:
11726 =>
(none) Anssi, Damien, and Jani, maybe we should update Mageia 3 and Mageia 4 to newer versions of xbmc, darktable, and shotwell (where applicable). xbmc is on qa https://bugs.mageia.org/show_bug.cgi?id=12613 ;) Funda, similarly, we should probably update rawtherapee to the newest upstream version 4.0.12. Hmh I had somehow missed this. Quick look suggests XBMC upstream is still vulnerable, I'll have to take a closer look ASAP.
Luc Menut
2014-02-05 23:21:53 CET
CC:
lmenut =>
(none) I've looked at the shotwell, darktable, and rawtherapee packages regarding this. shotwell builds against the system libraw and does not have a bundled copy, so it's not vulnerable. darktable fixed this upstream in 1.2.3, which is the version included in Mageia 4, so only Mageia 3 is vulnerable. I've patched it in SVN and will push it soon. rawtherapee includes a copy of dcraw.c in their code, which they convert to C++ (dcraw.cc) before compiling it. The newest rawtherapee (4.0.12) has dcraw 9.19 and is still vulnerable to CVE-2013-1438. The patch we applied to the dcraw package applies fine to the C++ version dcraw.cc. I've added this in Cauldron SVN, and we should backport this version to Mageia 3 and Mageia 4. Also, both libraw and darktable contain old vulnerable copies of dcraw.c in their source trees, but they don't appear to actually build them. Summary:
libraw, libkdcraw, darktable, shotwell, dcraw, ufraw new security issues CVE-2013-1438 and CVE-2013-1439 =>
libraw, libkdcraw, darktable, xbmc, rawtherapee, dcraw, ufraw new security issues CVE-2013-1438 and CVE-2013-1439 XBMC includes an embedded copy of CxImage, which includes an embedded copy of libDCR, which is an old fork of dcraw.c. I've patched our packages by porting the fix from libraw and updated update request bug #12613, and sent the patch to libDCR and XBMC upstreams. The libDCR upstream (same as CxImage) may be dead, though. Thanks Anssi. I've pushed my changes the build system (haven't backported rawtherapee yet). All packages in Cauldron should now be fixed. I'll file new bugs for darktable and rawtherapee. Version:
Cauldron =>
4
David Walser
2014-02-09 20:26:22 CET
Depends on:
(none) =>
12692
David Walser
2014-02-09 21:08:00 CET
Depends on:
(none) =>
12693 I was able to backport the dcraw patch to the older versions in rawtherapee, so I patched it for Mageia 3 and Mageia 4, rather than updating it. Everything is now pushed to the build system and assigned to QA. Once the last of these updates is pushed, this bug can be closed. All better now :o) Thanks everyone. Status:
NEW =>
RESOLVED |