Mageia Bugzilla – Bug 11149
libraw, libkdcraw, darktable, xbmc, rawtherapee, dcraw, ufraw new security issues CVE-2013-1438 and CVE-2013-1439
Last modified: 2014-02-17 01:39:55 CET
libraw has released version 0.15.4 on August 28:
According to this message on oss-security, it fixes two security issues:
It claims that libkdcraw and darktable are also vulnerable to these, due to the embedded copy of libraw they include. It also claims that shotwell contains an embedded copy of libraw, which is news to me, and could mean that it is vulnerable to CVE-2013-2126 as well, which we fixed in Bug 10346. It also claims that dcraw, which libraw was based on, is vulnerable, and that ufraw, which is based on dcraw, is also vulnerable.
libraw 0.15.4 has already been uploaded in Cauldron.
Steps to Reproduce:
Fedora has issued an advisory for libraw on August 30:
Ubuntu has issued an advisory for libkdcraw on September 30:
Judging from this, xbmc and rawtherapee may also be affected:
Removing Mageia 2 from the whiteboard due to EOL.
set as mga3 only.
This hasn't been fully addressed in Cauldron yet.
Fedora has issued advisories for dcraw and ufraw on December 7:
- Cauldron: fixed with libkdcraw-4.11.4-2.mga4
- Mga 3: fixed with libkdcraw-4.10.5-1.2.mga3 in updates_testing
security update request: bug 12074
dcraw and ufraw have now been fixed in:
I haven't seen patches out there for the other affected packages, so I don't anticipate being able to fix them before Mageia 4, if at all. Therefore, removing from the security updates tracker for Mageia 4.
Anssi, Damien, and Jani, maybe we should update Mageia 3 and Mageia 4 to newer versions of xbmc, darktable, and shotwell (where applicable).
xbmc is on qa https://bugs.mageia.org/show_bug.cgi?id=12613 ;)
Funda, similarly, we should probably update rawtherapee to the newest upstream version 4.0.12.
Hmh I had somehow missed this. Quick look suggests XBMC upstream is still vulnerable, I'll have to take a closer look ASAP.
I've looked at the shotwell, darktable, and rawtherapee packages regarding this.
shotwell builds against the system libraw and does not have a bundled copy, so it's not vulnerable.
darktable fixed this upstream in 1.2.3, which is the version included in Mageia 4, so only Mageia 3 is vulnerable. I've patched it in SVN and will push it soon.
rawtherapee includes a copy of dcraw.c in their code, which they convert to C++ (dcraw.cc) before compiling it. The newest rawtherapee (4.0.12) has dcraw 9.19 and is still vulnerable to CVE-2013-1438. The patch we applied to the dcraw package applies fine to the C++ version dcraw.cc. I've added this in Cauldron SVN, and we should backport this version to Mageia 3 and Mageia 4.
Also, both libraw and darktable contain old vulnerable copies of dcraw.c in their source trees, but they don't appear to actually build them.
XBMC includes an embedded copy of CxImage, which includes an embedded copy of libDCR, which is an old fork of dcraw.c.
I've patched our packages by porting the fix from libraw and updated update request bug #12613, and sent the patch to libDCR and XBMC upstreams. The libDCR upstream (same as CxImage) may be dead, though.
Thanks Anssi. I've pushed my changes the build system (haven't backported rawtherapee yet). All packages in Cauldron should now be fixed. I'll file new bugs for darktable and rawtherapee.
I was able to backport the dcraw patch to the older versions in rawtherapee, so I patched it for Mageia 3 and Mageia 4, rather than updating it. Everything is now pushed to the build system and assigned to QA. Once the last of these updates is pushed, this bug can be closed.
All better now :o) Thanks everyone.