| Summary: | libraw new security issues CVE-2018-20337, CVE-2018-2036[3-5], and CVE-2018-581[7-9] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | José Jorge <lists.jjorge> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | marja11, mhrambo3501 |
| Version: | 6 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | libraw-0.18.13-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-12-30 01:46:55 CET
Assigning to the registered maintainer. CC:
(none) =>
marja11 "The POCs exploits inconsistency in Sinar-4Shot files handling. LibRaw 0.19 does not support this files format, so it is not subject of exactly same problem" AFAI understand, this security issue does not concern also the version 0.18 we provide in MGA6, because it did not know this file format. Status:
NEW =>
RESOLVED Which of the 4 CVEs is that referring to? Note that there are 4 issues here. Resolution:
INVALID =>
(none) (In reply to David Walser from comment #3) > Which of the 4 CVEs is that referring to? Note that there are 4 issues here. "Three different CVE numbers was assigned for single problem: CVE-2018-20363, CVE-2018-20364, CVE-2018-20365" The last CVE is fixed with this code, which does not exist in 0.18 : https://github.com/LibRaw/LibRaw/commit/fbf60377c006eaea8d3eca3f5e4c654909dcdfd2 Status:
REOPENED =>
RESOLVED SUSE has issued an advisory for this on January 18: http://lists.suse.com/pipermail/sle-security-updates/2019-January/005044.html As far back 0.15.x is affected. It also adds more CVEs fixed upstream in 0.19.1. Status:
RESOLVED =>
REOPENED openSUSE has issued an advisory for this on January 29: https://lists.opensuse.org/opensuse-updates/2019-01/msg00099.html Ubuntu has issued an advisory for this on May 21: https://usn.ubuntu.com/3989-1/ Mageia 6 is EOL. CC:
(none) =>
mrambo |