Bug 21757

Summary: dcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, nicolas.salguero, qa-bugs, security
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO, MGA7TOO
Source RPM: dcraw-9.27.0-1.mga6.src.rpm CVE:
Status comment: Patches available from upstream
Bug Depends on: 21716, 24107    
Bug Blocks:    

Description David Walser 2017-09-22 17:14:00 CEST 
+++ This bug was initially created as a clone of Bug #21716 +++

Fedora has issued an advisory today (September 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVI7PQ5NTNFOL4EQTLNZOPGCDLKJKXST/

The issues are fixed upstream in 0.18.4:
https://www.libraw.org/news/libraw-0-18-4

It looks like other things that embed this code are also affected, like we've seen in the past.  Fedora lists dcraw, libkdcraw, and rawtherapee as examples, and has issued an advisory for rawtherapee:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMHXYQOFX5OQSBWNNMCVGJLYXTZHXYTM/
David Walser 2017-09-22 17:14:14 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO
Source RPM: libraw-0.18.2-1.mga6.src.rpm => dcraw-9.27.0-1.mga6.src.rpm

Comment 1 Marja Van Waes 2017-09-22 19:04:19 CEST 
Assigning to the registered maintainer of dcraw

Assignee: bugsquad => shlomif

David Walser 2017-09-25 16:53:48 CEST

Summary: dcraw new security issues CVE-2017-13735 and CVE-2017-14265 => dcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348

Comment 2 David Walser 2017-12-28 22:52:51 CET 
Nobody has patches for this yet, so we won't be able to fix this for Mageia 5.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

David Walser 2018-02-02 18:18:37 CET

Status comment: (none) => Not fixed upstream as of end of 2017

David Walser 2018-06-29 19:51:34 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=23252

David Walser 2019-01-02 15:12:32 CET

See Also: https://bugs.mageia.org/show_bug.cgi?id=23252 => (none)

David Walser 2019-01-02 15:13:02 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=24107

David Walser 2019-06-23 19:25:02 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 3 Lewis Smith 2019-11-28 15:56:12 CET 
Re-assigning globally due to change to no specific maintainer.

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
Assignee: shlomif => pkg-bugs

Comment 4 Lewis Smith 2019-11-28 16:03:14 CET 
See also bug 24107.
David Walser 2020-01-14 18:10:47 CET

See Also: https://bugs.mageia.org/show_bug.cgi?id=24107 => (none)
Depends on: (none) => 24107

Comment 5 David Walser 2020-03-04 22:02:11 CET 
Nicolas Salguero added patches for CVE-2017-13735 and CVE-2017-14608 in dcraw-9.28.0-4.mga8 in Cauldron.
David Walser 2020-12-28 17:09:31 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

David Walser 2020-12-28 22:10:22 CET

Status comment: Not fixed upstream as of end of 2017 => Patches available from upstream

Comment 7 Nicolas Lécureuil 2020-12-28 22:38:09 CET 
rawtherapee pushed in mga7 to fix CVE-2017-13735

src: 
     rawtherapee-5.6-1.1.mga7

Status comment: Patches available from upstream => Not fixed upstream as of end of 2017

Nicolas Lécureuil 2020-12-28 22:38:42 CET

Status comment: Not fixed upstream as of end of 2017 => Patches available from upstream

Comment 8 David Walser 2020-12-28 23:43:49 CET 
(In reply to Nicolas Lécureuil from comment #7)
> rawtherapee pushed in mga7 to fix CVE-2017-13735
> 
> src: 
>      rawtherapee-5.6-1.1.mga7

Thanks, this update is in Bug 27963.
Comment 9 David Walser 2021-01-03 23:37:40 CET 
Removing CVE-2017-14348 due to this:
https://bugzilla.redhat.com/show_bug.cgi?id=1492123#c9

Otherwise it looks like we fixed all fixable issues in Bug 26406.

*** This bug has been marked as a duplicate of bug 26406 ***

Resolution: (none) => DUPLICATE
Status: NEW => RESOLVED