Bug 23252

Summary: dcraw new security issue CVE-2018-5801
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, marja11, shlomif, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: dcraw-9.27.0-2.mga7.src.rpm CVE: CVE-2018-5801
Status comment: Patch available from Fedora

Description David Walser 2018-06-29 19:50:51 CEST 
libraw 0.18.7 fixed CVE-2018-5801 (among other things) and dcraw is also affected.

Fedora has issued an advisory for this on June 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/B4QRYU6SJD34FIOACDR2QA5F4C3CWPOB/

Fedora added a patch to 9.28 to fix this:
https://src.fedoraproject.org/cgit/rpms/dcraw.git/commit/?id=450f33d6fd161306d629a9b7c6f08364b6e2b311

See also Bug 21757 for some older issues that may or may not have been fixed.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-29 19:51:34 CEST

Status comment: (none) => Patch available from Fedora
CVE: (none) => CVE-2018-5801
Whiteboard: (none) => MGA6TOO
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21757

Comment 1 Marja Van Waes 2018-06-29 20:32:08 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2018-07-04 15:25:14 CEST 
Fixed in mga7.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 3 David Walser 2018-11-27 14:25:48 CET 
There's also CVE-2018-1956[5-8]:
https://www.openwall.com/lists/oss-security/2018/11/27/1
David Walser 2019-01-01 05:25:50 CET

Whiteboard: (none) => MGA6TOO
Version: 6 => Cauldron

David Walser 2019-01-01 05:26:10 CET

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

David Walser 2019-01-01 05:27:18 CET

Depends on: (none) => 24107

Comment 4 David Walser 2019-01-01 05:27:36 CET 
(In reply to David Walser from comment #3)
> There's also CVE-2018-1956[5-8]:
> https://www.openwall.com/lists/oss-security/2018/11/27/1

Moved to Bug 24107.
Comment 5 Shlomi Fish 2019-01-02 14:57:14 CET 
dcraw-9.26.0-1.1 was submitted to mga6 core/updates testing.
Comment 6 David Walser 2019-01-02 15:12:32 CET 
Advisory:
========================

Updated dcraw packages fix security vulnerability:

A NULL pointer dereference flaw was found in the way dcraw processed images. An
attacker could potentially use this flaw to crash dcraw by tricking it into
processing crafted images (CVE-2018-5801).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5801
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/B4QRYU6SJD34FIOACDR2QA5F4C3CWPOB/
========================

Updated packages in core/updates_testing:
========================
dcraw-9.27.0-1.1.mga6
dcraw-gimp2.0-9.27.0-1.1.mga6

from dcraw-9.27.0-1.1.mga6.src.rpm

Depends on: 24107 => (none)
Assignee: shlomif => qa-bugs
See Also: https://bugs.mageia.org/show_bug.cgi?id=21757 => (none)
CC: (none) => shlomif

Comment 7 Herman Viaene 2019-01-05 11:37:24 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref to bug 15926 Comment 1
at CLI.
$ dcraw -iv *.ORF
P7212389.ORF is een Olympus E-500 afbeelding.
P7212390.ORF is een Olympus E-500 afbeelding.
P7212391.ORF is een Olympus E-500 afbeelding.
P7212392.ORF is een Olympus E-500 afbeelding.
and
$ strace -o dcraw.txt gimp
and opening an ORF file in gimp, shows in the trace:

lstat64("/usr/lib/gimp/2.0/plug-ins/rawphoto", {st_mode=S_IFREG|0755, st_size=15068, ...}) = 0
access("/usr/lib/gimp/2.0/plug-ins/rawphoto", X_OK) = 0
and picture shows OK. 
/usr/lib/gimp/2.0/plug-ins/rawphoto is installed by dcraw-gimp2.0

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Lewis Smith 2019-01-06 10:15:24 CET

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 8 Mageia Robot 2019-01-06 17:42:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0017.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED