Bug 17314

Summary: libraw new security issues CVE-2015-8366 and CVE-2015-8367
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/667153/
Whiteboard: has_procedure advisory MGA5-32-OK MGA5-64-OK
Source RPM: libraw-0.16.2-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-08 20:20:51 CET 
Fedora has issued an advisory on December 7:
https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173363.html

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated libraw packages fix security vulnerabilities:

It was found that smal_decode_segment function do not handle index carefully,
which may cause index overflow (CVE-2015-8366).

It was found that phase_one_correct function does not handle memory objectâs
initialization correctly, which may have unspecified impact (CVE-2015-8367).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367
https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173363.html
========================

Updated packages in core/updates_testing:
========================
libraw-tools-0.16.2-1.1.mga5
libraw10-0.16.2-1.1.mga5
libraw_r10-0.16.2-1.1.mga5
libraw-devel-0.16.2-1.1.mga5

from libraw-0.16.2-1.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-12-08 20:21:43 CET 
libraw10 used by shotwell and nomacs, libraw_r10 used by entangle and luminance-hdr.
Comment 2 William Kenney 2015-12-09 17:58:33 CET 
In VirtualBox, M5, KDE, 32-bit

Sample .CDR RAW images were created with my Canon DSLR

Package(s) under test:
libraw10 libraw_r10

default install of libraw10 & libraw_r10

[root@localhost wilcal]# urpmi libraw10
Package libraw10-0.16.2-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libraw_r10
Package libraw_r10-0.16.2-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi nomacs
Package nomacs-1.6.4-4.mga5.i586 is already installed
[root@localhost wilcal]# urpmi luminance-hdr
Package luminance-hdr-2.4.0-6.mga5.i586 is already installed

I can open a .CDR image with either nomacs or luminance-hdr.
I can minipulate the images, save them as a png or jpg file,
then reopen them with gimp.

install libraw10 & libraw_r10 from updates_testing

[root@localhost wilcal]# urpmi libraw10
Package libraw10-0.16.2-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libraw_r10
Package libraw_r10-0.16.2-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi nomacs
Package nomacs-1.6.4-4.mga5.i586 is already installed
[root@localhost wilcal]# urpmi luminance-hdr
Package luminance-hdr-2.4.0-6.mga5.i586 is already installed

I can open a .CDR image with either nomacs or luminance-hdr.
I can minipulate the images, save them as a png or jpg file,
then reopen them with gimp.

CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK

Comment 3 William Kenney 2015-12-09 18:20:06 CET 
In VirtualBox, M5, KDE, 64-bit

Sample .CDR RAW images were created with my Canon DSLR

Package(s) under test:
lib64raw10 lib64raw_r10

default install of lib64raw10 & lib64raw_r10

[root@localhost wilcal]# urpmi lib64raw10
Package lib64raw10-0.16.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64raw_r10
Package lib64raw_r10-0.16.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi nomacs
Package nomacs-1.6.4-4.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi luminance-hdr
Package luminance-hdr-2.4.0-6.mga5.x86_64 is already installed

I can open a .CDR image with either nomacs or luminance-hdr.
I can minipulate the images, save them as a png or jpg file,
then reopen them with gimp.

install lib64raw10 & lib64raw_r10 from updates_testing

[root@localhost wilcal]# urpmi lib64raw10
Package lib64raw10-0.16.2-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64raw_r10
Package lib64raw_r10-0.16.2-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi nomacs
Package nomacs-1.6.4-4.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi luminance-hdr
Package luminance-hdr-2.4.0-6.mga5.x86_64 is already installed

I can open a .CDR image with either nomacs or luminance-hdr.
I can minipulate the images, save them as a png or jpg file,
then reopen them with gimp.

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 4 William Kenney 2015-12-09 18:20:38 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2015-12-10 09:52:45 CET

Whiteboard: MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK

Comment 5 Mageia Robot 2015-12-10 21:58:18 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0469.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 Herman Viaene 2017-07-24 16:14:44 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Used a few raw pictures.
At CLI:
$ raw-identify P7212389.ORF 
P7212389.ORF is a Olympus E-500 image.
and
$ strace -o libraw.txt nomacs P7212389.ORF 
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
new suffix: .jpg *.jpeg)
I could save the image...
Resulting jpg file OK.

CC: (none) => herman.viaene

Comment 7 Herman Viaene 2017-07-24 16:15:52 CEST 
Sorry, update on wrong bug.