Bug 26406

Summary: dcraw new security issue CVE-2018-19655
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, nicolas.salguero, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: dcraw-9.28.0-2.mga7.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 24107    

Description David Walser 2020-04-01 00:28:42 CEST 
Fedora has issued an advisory on March 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RD65NMWZ5OQNUIF7CLGKLDG4LVPPMJY7/

Mageia 7 is also affected.
David Walser 2020-04-01 00:29:03 CEST

Status comment: (none) => Patch available from Fedora
Blocks: (none) => 24107

Comment 1 Nicolas Salguero 2020-04-01 22:08:32 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack. (CVE-2017-13735)

In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_65000_load_raw has been reported in dcraw/dcraw.c and internal/dcraw_common.cpp. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. (CVE-2017-14608)

A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file. (CVE-2018-19655)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14608
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19655
https://bugs.mageia.org/show_bug.cgi?id=21757
========================

Updated packages in core/updates_testing:
========================
dcraw-9.28.0-2.1.mga7
dcraw-gimp2.0-9.28.0-2.1.mga7

from SRPMS:
dcraw-9.28.0-2.1.mga7.src.rpm

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

Nicolas Salguero 2020-04-01 22:09:12 CEST

Source RPM: dcraw-9.28.0-4.mga8.src.rpm => dcraw-9.28.0-2.mga7.src.rpm

David Walser 2020-04-01 22:43:04 CEST

Status comment: Patch available from Fedora => (none)

Comment 2 Herman Viaene 2020-04-02 14:12:39 CEST 
MGA7-64 Plasma on Lenovo B50
When selectting the dcraw-gimp2.0-9.28.0-2.1.mga7, I get the message:
"The following package has to be removed for others to be upgraded:
ufraw-gimp-0.22-11.mga7.x86_64
 (due to conflicts with dcraw-gimp2.0)"
Is that expected??
Proceeding with the installation.
When opening a raw file from dolphin with GIMP I get:
"Opening '/home/tester7/Pictures/RawORF/KODAK_C603_C643_FORMAT422_CCDI0001.RAW' failed: There is no RAW loader installed to open 'Raw Pentax PEF' files.

GIMP currently supports these RAW loaders:
- darktable (http://www.darktable.org/), at least 1.7
- RawTherapee (http://rawtherapee.com/), at least 5.2

Please install one of them in order to load RAW files."

Opening an ORF (Olympus) and a CR2 (Canon) works OK, but trying a NEF(Nikon) throws the same error as above.

I had previously no problems with those files, but I had always the ufraw installed which waas now thrown out.
To me this situation is a nogo.

CC: (none) => herman.viaene

Comment 3 David Walser 2020-04-02 14:15:01 CEST 
The conflicts are what they are, and have nothing to do with does it actually work.
Comment 4 Herman Viaene 2020-04-02 14:20:46 CEST 
OK, I could live with that, provided all types of RAW where handled, but they are not.
In the current situation, chances are that users implementing this update and using the Pentax or Nikon files are left out in the cold.
Comment 5 David Walser 2020-04-02 14:28:28 CEST 
I'm guessing it's not a regression in this update, just a deficiency in dcraw in general.
Comment 6 Herman Viaene 2020-04-02 14:39:53 CEST 
I'll try a downgrade tomorrow, as well as add ufraw again to the updated system.
Comment 7 Herman Viaene 2020-04-03 11:00:21 CEST 
Turns out the pentax raw does not open in gimp with ufraw either. Gimp states it requires either darktable or rawtherapee. Installing rawtherapee, I can handle the files in GIMP, regardless whether dcraw-gimp is present or not.
So, in the end the update of dcraw-gimp does not harm anything, that's the best I can say about it.
Is that enough to OKit?
Comment 8 David Walser 2020-04-03 14:40:17 CEST 
Sounds like it.
Herman Viaene 2020-04-03 14:42:15 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 9 Thomas Andrews 2020-04-03 16:15:21 CEST 
Then let's validate it. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-04-04 00:15:08 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 10 Mageia Robot 2020-04-04 00:54:39 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0157.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 11 David Walser 2021-01-03 23:37:40 CET 
*** Bug 21757 has been marked as a duplicate of this bug. ***