Bug 12074

Summary: libkdcraw - libraw security issues CVE-2013-1438 and CVE-2013-1439
Product: Mageia Reporter: Luc Menut <lmenut>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: balcaen.john, luigiwalser, mageia, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure advisory mga3-32-ok mga3-64-ok
Source RPM: libkdcraw-4.10.5-1.1.mga3.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 11149    

Description Luc Menut 2013-12-22 01:02:48 CET 
Description of problem:
Patched packages uploaded for Mageia 3.

Advisory:
========================

Updated libkdcraw packages fix libraw security vulnerabilities:

It was discovered that LibRaw incorrectly handled photo files. If a user or
automated system were tricked into processing a specially crafted photo
file, applications linked against LibRaw could be made to crash, resulting
in a denial of service (CVE-2013-1438, CVE-2013-1439).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1439
========================

Updated packages in core/updates_testing:
========================
i586:
libkdcraw-common-4.10.5-1.2.mga3.noarch.rpm
libkdcraw-4.10.5-1.2.mga3.i586.rpm
libkdcraw22-4.10.5-1.2.mga3.i586.rpm
libkdcraw-devel-4.10.5-1.2.mga3.i586.rpm
libkdcraw-debug-4.10.5-1.2.mga3.i586.rpm

x86_64:
libkdcraw-common-4.10.5-1.2.mga3.noarch.rpm
libkdcraw-4.10.5-1.2.mga3.x86_64.rpm
lib64kdcraw22-4.10.5-1.2.mga3.x86_64.rpm
lib64kdcraw-devel-4.10.5-1.2.mga3.x86_64.rpm
lib64kdcraw-debug-4.10.5-1.2.mga3.x86_64.rpm

from SRPMS:
libkdcraw-4.10.5-1.2.mga3.src.rpm



Reproducible: 

Steps to Reproduce:
Luc Menut 2013-12-22 01:03:37 CET

Blocks: (none) => 11149

Luc Menut 2013-12-22 01:16:22 CET

CC: (none) => balcaen.john, mageia

Comment 1 David Walser 2013-12-22 01:32:49 CET 
Thanks Luc!

I'd like to add one more URL to the references:
http://www.ubuntu.com/usn/usn-1978-1/
Comment 2 Luc Menut 2013-12-22 01:55:59 CET 
(In reply to David Walser from comment #1)
> Thanks Luc!
> 
> I'd like to add one more URL to the references:
> http://www.ubuntu.com/usn/usn-1978-1/

I didn't mention this reference because this Ubuntu update is for libkdcraw 4.8.5 which embeds libraw 0.14.4, while libkdcraw 4.10.5 embeds libraw 0.15.
So, I didn't use their patch, but I adapted upstream patch from the branch 0.15 https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad .
Comment 3 claire robinson 2013-12-23 10:57:04 CET 
Thanks Luc. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1002714#c5

Does ufraw/libraw need to be updated also or instead for CVE-2013-1439?
Debian apear to be updating libraw, redhat ufraw.


No PoC's.
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10768
Comment 4 Luc Menut 2013-12-23 11:34:06 CET 
(In reply to claire robinson from comment #3)
> Thanks Luc. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1002714#c5
> 
> Does ufraw/libraw need to be updated also or instead for CVE-2013-1439?
> Debian apear to be updating libraw, redhat ufraw.

It seems that we have already updated libraw with libraw-0.14.7-5.2.mga3 (bug 11376). For ufraw, I don't know. I mainly contribute on kde stuff, and I don't have enough free time to help more, sorry.

> 
> 
> No PoC's.
> Procedure: https://bugs.mageia.org/show_bug.cgi?id=10768

yep
Comment 5 claire robinson 2013-12-23 13:17:05 CET 
Testing complete mga3 32

Whiteboard: (none) => has_procedure mga3-32-ok

Comment 6 claire robinson 2013-12-23 13:30:18 CET 
Testing complete mga3 64

Advisory uploaded without the ubuntu reference, let me know David please if you still want it there.

Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 7 David Walser 2013-12-23 14:00:51 CET 
(In reply to claire robinson from comment #6)
> Testing complete mga3 64
> 
> Advisory uploaded without the ubuntu reference, let me know David please if
> you still want it there.

It would be helpful, yes.

And you're right that there are other packages affected, we have Bug 11149 for that.  Hopefully we'll have time to get it addressed soon.

CC: (none) => luigiwalser

Comment 8 claire robinson 2013-12-23 14:03:37 CET 
Added now.
Comment 9 Thomas Backlund 2013-12-23 18:30:00 CET 

Update pushed:
http://advisories.mageia.org/MGASA-2013-0385.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED