Bug 21756

Summary: libkdcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348, CVE-2018-580[0-2,5-6]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: KDE maintainers <kde>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, nicolas.salguero, qa-bugs, security
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libkdcraw-17.08.0-3.mga7.src.rpm CVE:
Status comment: Not fixed upstream as of end of 2017
Bug Depends on: 21716    
Bug Blocks:    

Description David Walser 2017-09-22 17:13:37 CEST 
+++ This bug was initially created as a clone of Bug #21716 +++

Fedora has issued an advisory today (September 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVI7PQ5NTNFOL4EQTLNZOPGCDLKJKXST/

The issues are fixed upstream in 0.18.4:
https://www.libraw.org/news/libraw-0-18-4

It looks like other things that embed this code are also affected, like we've seen in the past.  Fedora lists dcraw, libkdcraw, and rawtherapee as examples, and has issued an advisory for rawtherapee:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMHXYQOFX5OQSBWNNMCVGJLYXTZHXYTM/
David Walser 2017-09-22 17:13:54 CEST

Source RPM: libraw-0.18.2-1.mga6.src.rpm => libkdcraw-17.08.0-3.mga7.src.rpm
Assignee: bugsquad => kde
Whiteboard: (none) => MGA6TOO, MGA5TOO

David Walser 2017-09-25 16:53:38 CEST

Summary: libkdcraw new security issues CVE-2017-13735 and CVE-2017-14265 => libkdcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348

Comment 1 David Walser 2017-12-28 22:54:03 CET 
I haven't any updates or patches for this, so too late for Mageia 5.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

David Walser 2018-02-02 18:18:30 CET

Status comment: (none) => Not fixed upstream as of end of 2017

Comment 2 David Walser 2018-06-29 19:46:46 CEST 
libraw 0.18.7 fixed CVE-2018-5801:
https://bugzilla.redhat.com/show_bug.cgi?id=1553334

libkdcraw may also be affected.
Comment 3 David Walser 2018-11-02 21:50:49 CET 
RedHat has issued an advisory on October 30:
https://access.redhat.com/errata/RHSA-2018:3065

It fixes the issue mentioned in Comment 2 and several others.

Summary: libkdcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348 => libkdcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348, CVE-2018-580[0-2,5-6]

Comment 4 David Walser 2018-11-27 14:26:12 CET 
There's also CVE-2018-1956[5-8] in dcraw:
https://www.openwall.com/lists/oss-security/2018/11/27/1
David Walser 2019-06-23 19:24:54 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Nicolas Lécureuil 2020-05-22 14:04:09 CEST

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
CC: (none) => mageia

Comment 5 Nicolas Lécureuil 2020-05-22 14:55:37 CEST 
we are not affected in libkdcraw

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2020-05-22 19:36:55 CEST 
CVE-2017-13735 was never addressed:
https://bugzilla.redhat.com/show_bug.cgi?id=1488931

CVE-2018-580[0-2,5-6] certainly affect libkdcraw and we never fixed them:
https://access.redhat.com/errata/RHSA-2018:3065

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 7 Nicolas Lécureuil 2020-05-22 20:55:29 CEST 
CVE-2017-13735 is not valid on mga7 ,fixed in 0-18-3
Comment 8 David Walser 2020-05-22 20:59:22 CEST 
(In reply to Nicolas Lécureuil from comment #7)
> CVE-2017-13735 is not valid on mga7 ,fixed in 0-18-3

This bug is for libkdcraw though.  Did it get fixed in that too?
Comment 9 Nicolas Lécureuil 2020-12-27 00:12:25 CET 
need to be checked on mga7 still

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 10 David Walser 2020-12-27 00:20:47 CET 
Please provide information about how/when/where Cauldron was fixed when changing bugs' version assignment.

Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO

David Walser 2020-12-28 17:09:24 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

Comment 11 David Walser 2020-12-29 00:09:21 CET 
libkdcraw is built against the system libraw as of Mageia 7.

Status: REOPENED => RESOLVED
Whiteboard: MGA8TOO, MGA7TOO => (none)
Version: Cauldron => 7
Resolution: (none) => FIXED