Upstream has released 0.15.2, fixing two security issues: http://www.libraw.org/news/libraw-0-15-1 http://www.libraw.org/news/libraw-0-15-2 http://secunia.com/advisories/53547/ CVEs have been requested but not assigned yet. Links to upstream commits: http://openwall.com/lists/oss-security/2013/05/29/1 Jani has already updated to 0.15.2 in Cauldron to fix this there. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
I guess we'll need to backport those fixes for versions in mga2 and mga3 as 0.15.2 comes with new libmajor. I'll check if we could backport those fixes or if other distors already have patches.
Thanks. It may not turn up in other distros until CVEs are assigned, so I'll let you know when that happens.
CVEs have been assigned: http://openwall.com/lists/oss-security/2013/05/29/7
Summary: libraw new security issues fixed in 0.15.2 => libraw new security issues CVE-2013-2126 and CVE-2013-2127
Seems like CVE-2013-2127 isn't a problem as 0.14.x versions aren't affected: https://bugzilla.redhat.com/show_bug.cgi?id=968382#c5 CVE-2013-2126 is fixed in upstream: https://github.com/LibRaw/LibRaw/commit/c14ae36d I'll apply the patch for CVE-2013-2126.
Summary: libraw new security issues CVE-2013-2126 and CVE-2013-2127 => libraw new security issue CVE-2013-2126
Thanks, so this is the only relevant one: http://www.libraw.org/news/libraw-0-15-2
Pushed new releases to fix CVE-2013-2126 to core/updates_testing. For mga2: libraw-0.14.5-1.1.mga2 For mga3: libraw-0.14.7-5.1.mga3
Thanks Jani! Advisory: ======================== Updated libraw packages fix security vulnerability: A double-free error exits when handling damaged full-color within Foveon and sRAW files in libraw before 0.15.2 (CVE-2013-2126). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2126 http://secunia.com/advisories/53547/ http://www.libraw.org/news/libraw-0-15-2 ======================== Updated packages in core/updates_testing: ======================== libraw-tools-0.14.5-1.1.mga2 libraw5-0.14.5-1.1.mga2 libraw_r5-0.14.5-1.1.mga2 libraw-devel-0.14.5-1.1.mga2 libraw-tools-0.14.7-5.1.mga3 libraw5-0.14.7-5.1.mga3 libraw_r5-0.14.7-5.1.mga3 libraw-devel-0.14.7-5.1.mga3 from SRPMS: libraw-0.14.5-1.1.mga2.src.rpm libraw-0.14.7-5.1.mga3.src.rpm
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugsSeverity: normal => major
No PoC's so just checking it installs ok and some of the tools work ok from.. $ urpmf libraw-tools | grep bin Note to new testers: When testing lib's on a 64bit machine the actual library, in this case libraw5 or libraw_r5 above, will be lib64raw5 & lib64raw_r5.
Testing complete mga3 64
Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok
Testing complete mga2 32 & 64
Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok
Testing complete mga3 32 Validating Advisory & srpms for Mageia 2 & 3 in comment 7 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=10427
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=10428
Packages have been pushed to updates.
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/553302/
CC: boklm => (none)