Bug 12125

Summary: dcraw and ufraw new security issue CVE-2013-1438
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cmrisolde, davidwhodgins, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Articles/565560/
Whiteboard: advisory MGA3-32-OK MGA3-64-OK
Source RPM: dcraw, ufraw CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 11149    

Description David Walser 2013-12-27 14:45:50 CET 
Fedora has issued advisories for dcraw and ufraw on December 7:
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124176.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124183.html

Patched packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated dcraw and ufraw packages fix security vulnerability:

Due to flaws in the embedded copy of LibRaw in dcraw and ufraw, corrupt input
files might trigger a division by zero, an infinite loop, or a null pointer
dereference (CVE-2013-1438).

The dcraw and ufraw packages have been updated to their newest versions and
patched to fix the flaws in the embedded LibRaw library.  They have also been
patched to use the more secure lcms2 color management library, rather than the
unmaintained lcms library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124176.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124183.html
========================

Updated packages in core/updates_testing:
========================
dcraw-9.19-1.mga3
dcraw-gimp2.0-9.19-1.mga3
ufraw-0.19.2-5.mga3
ufraw-batch-0.19.2-5.mga3
ufraw-gimp-0.19.2-5.mga3

from SRPMS:
dcraw-9.19-1.mga3.src.rpm
ufraw-0.19.2-5.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-27 14:46:06 CET

Blocks: (none) => 11149

Dave Hodgins 2014-01-02 18:46:40 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 Carolyn Rowse 2014-01-10 09:31:21 CET 
I'll have a look at this one over the weekend on both archs.

CC: (none) => isolde

Comment 2 Carolyn Rowse 2014-01-11 19:09:27 CET 
Couldn't find a POC but tried with fotoxx on 32-bit, worked fine before and after update.

Tested with Gimp as well, but to do that it had to uninstall fotoxx and ufraw and also there's a conflict between dcraw-gimp2.0-9.19-1.mga3 and ufraw-gimp-0.19.2-5.mga3 so I had to test those separately.

Aside from that, seems fine with 32-bit, will test 64-bit as well.

Whiteboard: advisory => advisory MGA3-32-OK

Comment 3 Carolyn Rowse 2014-01-11 22:08:47 CET 
Works fine in Fotoxx and Gimp after update on 64-bit as well.

Update validated.

See description for advisory and SRPMs.

Could sysadmin please push from core/updates_testing to core/updates.

Thank you.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: advisory MGA3-32-OK => advisory MGA3-32-OK MGA3-64-OK

Comment 4 Thomas Backlund 2014-01-17 01:43:03 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0011.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED