Bug 12692

Summary: darktable new security issues CVE-2013-1438 and CVE-2013-1439
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: stormi-mageia, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/566156/
Whiteboard: has_procedure advisory mga3-32-ok mga3-64-ok
Source RPM: darktable-1.2-1.1.mga3.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 11149    

Description David Walser 2014-02-09 20:26:09 CET 
As reported in Bug 11149, darktable contains an embedded copy of LibRaw, and darktable prior to version 1.2.3 is vulnerable to the security issues CVE-2013-1438 and CVE-2013-1439.

Mageia 4 shipped with 1.2.3, so it and Cauldron are not vulnerable.

Patched package uploaded for Mageia 3.

Advisory:
========================

Updated darktable package fixes security vulnerabilities:

Darktable before version 1.2.3 contains an embedded copy of LibRaw that
incorrectly handled photo files. If a user was tricked into processing a
specially crafted photo file, darktable could be made to crash, resulting
in a denial of service (CVE-2013-1438, CVE-2013-1439).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1439
http://www.ubuntu.com/usn/usn-1964-1/
========================

Updated packages in core/updates_testing:
========================
darktable-1.2-1.2.mga3

from darktable-1.2-1.2.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-09 20:26:22 CET

Blocks: (none) => 11149

Comment 1 Samuel Verschelde 2014-02-10 16:45:46 CET 
Testing procedure: just import a variety of images (including raw files) and explore the menus.

I haven't found example files to test the vulnerability.

CC: (none) => stormi
Whiteboard: (none) => has_procedure

Comment 2 claire robinson 2014-02-10 17:50:25 CET 
Testing complete mga3 32 & 64

Whiteboard: has_procedure => has_procedure mga3-32-ok mga3-64-ok

Comment 3 claire robinson 2014-02-10 18:16:57 CET 
Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2014-02-10 21:34:18 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0050.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED