Bug 10768 - [Security update candidate] libkdcraw
Summary: [Security update candidate] libkdcraw
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/553302/
Whiteboard: has_procedure mga2-64-ok mga2-32-ok
Keywords: validated_update
Depends on:
Blocks: 10428
  Show dependency treegraph
 
Reported: 2013-07-14 19:19 CEST by John Balcaen
Modified: 2014-05-08 18:04 CEST (History)
3 users (show)

See Also:
Source RPM: libkdcraw-4.8.5-1.2.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description John Balcaen 2013-07-14 19:19:48 CEST 
libkdcraw has an embded copies of libraw which is affected by a security issue, this update add a patch to fix this issue

src.rpm : libkdcraw-4.8.5-1.2.mga2.src.rpm

Files on x86_64 :
lib64kdcraw20-4.8.5-1.2.mga2.x86_64
libkdcraw-4.8.5-1.2.mga2.x86_64
libkdcraw-common-4.8.5-1.2.mga2.noarch
libkdcraw-debug-4.8.5-1.2.mga2.x86_64
libkdcraw-devel-4.8.5-1.2.mga2.x86_64

Files on i586 :
libkdcraw20-4.8.5-1.2.mga2.i586
libkdcraw-4.8.5-1.2.mga2.i586
libkdcraw-common-4.8.5-1.2.mga2.noarch
libkdcraw-devel-4.8.5-1.2.mga2.i586
libkdcraw-debug-4.8.5-1.2.mga2.i586
 
Proposal Advisory :
« This update fix a security issue affecting  due to a possible double-free() on error recovery on damaged full-color (Foveon, sRAW) files. (CVE 2013-2126)
You can read http://secunia.com/advisories/53547/ for more information
 »

Reproducible: 

Steps to Reproduce:
John Balcaen 2013-07-14 19:20:10 CEST

CC: (none) => balcaen.john
Blocks: (none) => 10428

David Walser 2013-07-14 20:18:52 CEST

Component: New RPM package request => Security
QA Contact: (none) => security

Comment 1 David Walser 2013-07-14 20:23:24 CEST 
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2126
http://secunia.com/advisories/53547/
http://www.libraw.org/news/libraw-0-15-2
http://www.ubuntu.com/usn/usn-1885-1/

URL: (none) => http://lwn.net/Vulnerabilities/553302/
Severity: normal => major

Comment 2 Dave Hodgins 2013-07-15 21:48:45 CEST 
No poc, so just need to ensure programs like kphotoalbum, krita, and showfoto
all work, with various image types.

CC: (none) => davidwhodgins
Whiteboard: (none) => has_procedure

Comment 4 claire robinson 2013-07-18 14:52:51 CEST 
Testing complete mga2 64

Opened several raw format photos (Cannon CR2, Nikon CR2 & an NEF)in showfoto under strace.

It displas information on each image after loading. Grep for kdcraw shows it loading the library files.

Whiteboard: has_procedure => has_procedure mga2-64-ok

Comment 5 claire robinson 2013-07-18 15:11:21 CEST 
Testing complete mga2 32

It's actually two different Canon CR2's and a Nikon NEF raw format images.

Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok

Comment 6 claire robinson 2013-07-18 15:14:46 CEST 
Validating. Advisory from comment 0 already uploaded.

Could sysadmin please push from 2 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Nicolas Vigier 2013-07-21 12:00:11 CEST 
http://advisories.mageia.org/MGASA-2013-0219.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:04:41 CEST

CC: boklm => (none)
Note You need to log in before you can comment on or make changes to this bug.