Bug 21004

Summary: libraw new security issues CVE-2017-688[679] and CVE-2017-6890
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK advisory
Source RPM: libraw-0.16.2-1.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-06-01 12:21:35 CEST 
openSUSE has issued an advisory on May 31:
https://lists.opensuse.org/opensuse-updates/2017-05/msg00111.html

The issues were fixed upstream in 0.18.2 (already in Cauldron).
Comment 1 Marja Van Waes 2017-06-01 21:18:03 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 David Walser 2017-07-09 00:48:16 CEST 
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated libraw packages fix security vulnerabilities:

A memory corruption in parse_tiff_ifd() function (CVE-2017-6886).

A memory corruption via e.g. a specially crafted KDC file parse_tiff_ifd()
(CVE-2017-6887).

An integer overflow error within the "foveon_load_camf()" function
(CVE-2017-6889).

A boundary error within the "foveon_load_camf()" function (CVE-2017-6890).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6886
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6889
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6890
https://lists.opensuse.org/opensuse-updates/2017-05/msg00111.html
========================

Updated packages in core/updates_testing:
========================
libraw-tools-0.16.2-1.2.mga5
libraw10-0.16.2-1.2.mga5
libraw_r10-0.16.2-1.2.mga5
libraw-devel-0.16.2-1.2.mga5

from libraw-0.16.2-1.2.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs
Summary: libraw new security issues CVE-2017-688[6-9] and CVE-2017-6890 => libraw new security issues CVE-2017-688[679] and CVE-2017-6890

Comment 3 Herman Viaene 2017-07-24 16:16:08 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Used a few raw pictures.
At CLI:
$ raw-identify P7212389.ORF 
P7212389.ORF is a Olympus E-500 image.
and
$ strace -o libraw.txt nomacs P7212389.ORF 
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
new suffix: .jpg *.jpeg)
I could save the image...
Resulting jpg file OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Lewis Smith 2017-07-25 09:34:01 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => lewyssmith

Comment 4 Lewis Smith 2017-07-28 11:00:45 CEST 
Validating under the current temporary policy (1 OK good) thanks to Herman's test. In fact not many testers will have RAW images available to them.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-07-28 20:13:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0223.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED