Bug 10768 - [Security update candidate] libkdcraw
: [Security update candidate] libkdcraw
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/553302/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
: 10428
  Show dependency treegraph
 
Reported: 2013-07-14 19:19 CEST by John Balcaen
Modified: 2014-05-08 18:04 CEST (History)
3 users (show)

See Also:
Source RPM: libkdcraw-4.8.5-1.2.mga2.src.rpm
CVE:


Attachments

Description John Balcaen 2013-07-14 19:19:48 CEST
libkdcraw has an embded copies of libraw which is affected by a security issue, this update add a patch to fix this issue

src.rpm : libkdcraw-4.8.5-1.2.mga2.src.rpm

Files on x86_64 :
lib64kdcraw20-4.8.5-1.2.mga2.x86_64
libkdcraw-4.8.5-1.2.mga2.x86_64
libkdcraw-common-4.8.5-1.2.mga2.noarch
libkdcraw-debug-4.8.5-1.2.mga2.x86_64
libkdcraw-devel-4.8.5-1.2.mga2.x86_64

Files on i586 :
libkdcraw20-4.8.5-1.2.mga2.i586
libkdcraw-4.8.5-1.2.mga2.i586
libkdcraw-common-4.8.5-1.2.mga2.noarch
libkdcraw-devel-4.8.5-1.2.mga2.i586
libkdcraw-debug-4.8.5-1.2.mga2.i586
 
Proposal Advisory :
« This update fix a security issue affecting  due to a possible double-free() on error recovery on damaged full-color (Foveon, sRAW) files. (CVE 2013-2126)
You can read http://secunia.com/advisories/53547/ for more information
 »

Reproducible: 

Steps to Reproduce:
Comment 2 Dave Hodgins 2013-07-15 21:48:45 CEST
No poc, so just need to ensure programs like kphotoalbum, krita, and showfoto
all work, with various image types.
Comment 4 claire robinson 2013-07-18 14:52:51 CEST
Testing complete mga2 64

Opened several raw format photos (Cannon CR2, Nikon CR2 & an NEF)in showfoto under strace.

It displas information on each image after loading. Grep for kdcraw shows it loading the library files.
Comment 5 claire robinson 2013-07-18 15:11:21 CEST
Testing complete mga2 32

It's actually two different Canon CR2's and a Nikon NEF raw format images.
Comment 6 claire robinson 2013-07-18 15:14:46 CEST
Validating. Advisory from comment 0 already uploaded.

Could sysadmin please push from 2 core/updates_testing to core/updates

Thanks!
Comment 7 Nicolas Vigier 2013-07-21 12:00:11 CEST
http://advisories.mageia.org/MGASA-2013-0219.html

Note You need to log in before you can comment on or make changes to this bug.