Bug 23186

Summary: libraw minor security fixes upstream in 0.18.13
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, lists.jjorge, nicolas.salguero, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: libraw-0.18.11-1.mga7.src.rpm CVE:
Status comment:

David Walser 2018-06-15 18:59:58 CEST

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-07-24 21:44:51 CEST 
0.18.13 fixes two more security issues:
https://www.libraw.org/download

- fixed possible stack overrun while reading zero-sized strings
- fixed possible integer overflow

Fedora has issued an advisory for this today (July 24):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SAILUJLX73GTMC4BTJPFRXMDQIFLWFMV/

Summary: libraw minor security fixes upstream in 0.18.12 => libraw minor security fixes upstream in 0.18.13

Comment 2 David Walser 2018-08-10 17:15:43 CEST 
0.18.12 fixed CVE-2018-5815:
https://bugzilla.suse.com/show_bug.cgi?id=1103206

openSUSE has issued an advisory for this today (August 10):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00068.html
Comment 3 David Walser 2018-08-14 23:36:17 CEST 
0.18.12 fixed CVE-2018-5816:
https://bugzilla.redhat.com/show_bug.cgi?id=1610156
Comment 4 José Jorge 2018-08-22 22:56:42 CEST 
Pushed 0.8.13 to both Cauldron and MGA6.


Suggested advisory :

Several security fixes have been done in libraw version 0.18.13. Version 0.18.12 also fixed CVE-2018-5815 and CVE-2018-5816.

Ref:
https://bugzilla.suse.com/show_bug.cgi?id=1103206
https://bugzilla.redhat.com/show_bug.cgi?id=1610156
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SAILUJLX73GTMC4BTJPFRXMDQIFLWFMV/


SRPM:
libraw-0.18.13-1.mga6.srpm

RPMS :
libraw-tools-0.18.13-1.mga6.i586.rpm
libraw16-0.18.13-1.mga6.i586.rpm
libraw_r16-0.18.13-1.mga6.i586.rpm
libraw-devel-0.18.13-1.mga6.i586.rpm

Whiteboard: MGA6TOO => (none)
Assignee: lists.jjorge => qa-bugs
CC: (none) => lists.jjorge
Version: Cauldron => 6
Status: NEW => ASSIGNED

Comment 5 Len Lawrence 2018-08-23 12:44:32 CEST 
Mageia 6, x86_64

Could find no discussion on reproducing the integer overflow for CVE-2018-5815 so went ahead and updated the packages and tested them against a set of local raw camera image files.

$ 4channels RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF
Black level (unscaled)=0
Writing file RAW_NIKON_D1.NEF.R.tiff
Writing file RAW_NIKON_D1.NEF.G.tiff
Writing file RAW_NIKON_D1.NEF.B.tiff
Writing file RAW_NIKON_D1.NEF.G2.tiff

$ multirender_test RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF
Writing file RAW_NIKON_D1.NEF.1.ppm
[...]
Writing file RAW_NIKON_D1.NEF.8.ppm

The individual PPM frames rendered as valid images in ImageMagick display.

$  postprocessing_benchmark -R 20 RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF

18.2 msec for unpack
Performance: 8.52 Mpix/sec
File: RAW_NIKON_D1.NEF, Frame: 0 2.7 total Mpix, 312.6 msec
Params:      WB=default Highlight=0 Qual=-1 HalfSize=No Median=0 Wavelet=0
Crop:        0-0:2012x1324, active Mpix: 2.66, 3.2 frames/sec

$ raw-identify RAW_OLYMPUS*
RAW_OLYMPUS_C8080.ORF is a Olympus C8080WZ image.
Cannot decode RAW_OLYMPUS_C8080.ORF.ppm: Unsupported file format or not RAW file
Cannot decode RAW_OLYMPUS_C8080.ORF.thumb.jpg: Unsupported file format or not RAW file
RAW_OLYMPUS_E420.ORF is a Olympus E-420 image.
RAW_OLYMPUS_E5.ORF is a Olympus E-5 image.
RAW_OLYMPUS_E-PL7.ORF is a Olympus E-PL7 image.
RAW_OLYMPUS_SP350.ORF is a Olympus SP350 image.

$ unprocessed_raw RAW_CANON_D60_ARGB.CRW
Processing file RAW_CANON_D60_ARGB.CRW
Image size: 3088x2056
Raw size: 3152x2068
Margins: top=12, left=64
Unpacked....
Stored to file RAW_CANON_D60_ARGB.CRW.pgm
$ display RAW_CANON_D60_ARGB.CRW.pgm
That displayed a completely black frame.
$ nomacs RAW_CANON_D60_ARGB.CRW
[INFO] Hi there
[WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkViewPortInterface*, bool) to nmc::DkControlWidget::setPluginWidget(DkViewPortInterface*, bool)
[WARNING] QObject::connect: Cannot connect (null)::applyPluginChanges(bool) to nmc::DkControlWidget::applyPluginChanges(bool)
[WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkPluginContainer*, const QString&) to nmc::DkViewPort::applyPlugin(DkPluginContainer*, const QString&)
[INFO] local client created in:  3 ms
[INFO] CSS loaded from:  ":/nomacs/stylesheet.css"
[INFO] LAN client created in:  0 ms
[INFO] Initialization takes:  47 ms
invalid type value detected in Image::printIFDStructure:  0
Warning: Directory Canon, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
[INFO] "/home/lcl/qa/libraw/RAW_CANON_D60_ARGB.CRW" loaded in 23 ms

The nomacs command displayed the original as a valid image.
This is not a regression when compared with earlier tests.
$ unprocessed_raw -g RAW_CANON_D60_ARGB.CRW
Processing file RAW_CANON_D60_ARGB.CRW
Image size: 3088x2056
Raw size: 3152x2068
Margins: top=12, left=64
Unpacked....
Gamma-corrected....
Stored to file RAW_CANON_D60_ARGB.CRW.pgm

RAW_CANON_D60_ARGB.CRW.pgm displayed as a greyscale image of low surface brightness.
$ unprocessed_raw -g -A -T RAW_CANON_D60_ARGB.CRW
Processing file RAW_CANON_D60_ARGB.CRW
Image size: 3088x2056
Raw size: 3152x2068
Margins: top=12, left=64
Unpacked....
Scaling with multiplier=23 (max=2771)
Gamma-corrected....
Stored to file RAW_CANON_D60_ARGB.CRW.tiff
$ display RAW_CANON_D60_ARGB.CRW.tiff
A greyscale image again but brighter.

Used nomacs to click through the RAW images - all displayed fine.
$ nomacs *RAW*

$ mem_image -6 'KODAK C603 C643 Format 420 CCDI0001.RAW'
This created a PPM image which looked good in display or nomacs.
$ simple_dcraw -L | wc -l
931
That is the number of supported cameras.
$ simple_dcraw -T *RAW*
This created a series of TIFF images of the originals - the default is ppm or pgm.

This all looks good so far.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 6 Thomas Andrews 2018-08-29 21:56:18 CEST 
Validating, on the basis of Len's extensive tests. Suggested advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Thomas Backlund 2018-08-31 21:35:43 CEST 
More verbose advisory (added to svn):

type: security
subject: Updated libraw packages fix security vulnerabilities
CVE:
 - CVE-2018-5815
 - CVE-2018-5816
src:
  6:
   core:
     - libraw-0.18.13-1.mga6
description: |
  This update provides libraw 0.18.13 fixing atleast the following
  security issues:

  LibRaw versions prior to 0.18.12 are vulnerable to an integer overflow
  in the internal/dcraw_common.cpp:parse_qt() function. An attacker could
  exploit this to cause an infinite loop via a specially crafted Apple
  QuickTime file (CVE-2018-5815).

  LibRaw versions prior to 0.18.12 are vulnerable to an integer overflow
  in the internal/dcraw_common.cpp:identify() function. An attacker could
  exploit this to cause an divide-by-zero and resultant denial of service
  via a specially crafted NOKIARAW file (CVE-2018-5816).

  libraw 0.18.13 adds fixes for: 
  * possible stack overrun while reading zero-sized strings
  * possible integer overflow
references:
 - https://bugs.mageia.org/show_bug.cgi?id=23186
 - https://bugzilla.suse.com/show_bug.cgi?id=1103206
 - https://bugzilla.redhat.com/show_bug.cgi?id=1610156
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SAILUJLX73GTMC4BTJPFRXMDQIFLWFMV/

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2018-08-31 23:13:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0356.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED