libraw has released version 0.15.4 on August 28: http://www.libraw.org/news/libraw-0-15-4 According to this message on oss-security, it fixes two security issues: http://openwall.com/lists/oss-security/2013/08/29/3 It claims that libkdcraw and darktable are also vulnerable to these, due to the embedded copy of libraw they include. It also claims that shotwell contains an embedded copy of libraw, which is news to me, and could mean that it is vulnerable to CVE-2013-2126 as well, which we fixed in Bug 10346. It also claims that dcraw, which libraw was based on, is vulnerable, and that ufraw, which is based on dcraw, is also vulnerable. libraw 0.15.4 has already been uploaded in Cauldron. Reproducible: Steps to Reproduce:
CC: (none) => balcaen.john, jani.valimaa, lmenut, mageia, nicolas.lecureuilWhiteboard: (none) => MGA3TOO, MGA2TOO
Fedora has issued an advisory for libraw on August 30: https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115367.html
URL: (none) => http://lwn.net/Vulnerabilities/566156/
Ubuntu has issued an advisory for libkdcraw on September 30: http://www.ubuntu.com/usn/usn-1978-1/
Judging from this, xbmc and rawtherapee may also be affected: http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1438.html
CC: (none) => anssi.hannula, fundawang
Severity: normal => major
Depends on: (none) => 11376
Blocks: (none) => 11726
Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO
set as mga3 only.
Blocks: 11726 => (none)Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
This hasn't been fully addressed in Cauldron yet.
Blocks: (none) => 11726Version: 3 => CauldronWhiteboard: (none) => MGA3TOO
Fedora has issued advisories for dcraw and ufraw on December 7: https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124176.html https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124183.html
Depends on: (none) => 12074
libkdcraw: - Cauldron: fixed with libkdcraw-4.11.4-2.mga4 http://svnweb.mageia.org/packages?view=revision&revision=559662 - Mga 3: fixed with libkdcraw-4.10.5-1.2.mga3 in updates_testing http://svnweb.mageia.org/packages?view=revision&revision=559670 security update request: bug 12074
Depends on: (none) => 12125
dcraw and ufraw have now been fixed in: dcraw-9.19-3.mga4 ufraw-0.19.2-5.mga4 dcraw-9.19-1.mga3 ufraw-0.19.2-5.mga3 I haven't seen patches out there for the other affected packages, so I don't anticipate being able to fix them before Mageia 4, if at all. Therefore, removing from the security updates tracker for Mageia 4.
Blocks: 11726 => (none)
Anssi, Damien, and Jani, maybe we should update Mageia 3 and Mageia 4 to newer versions of xbmc, darktable, and shotwell (where applicable).
xbmc is on qa https://bugs.mageia.org/show_bug.cgi?id=12613 ;)
Funda, similarly, we should probably update rawtherapee to the newest upstream version 4.0.12.
Hmh I had somehow missed this. Quick look suggests XBMC upstream is still vulnerable, I'll have to take a closer look ASAP.
CC: lmenut => (none)
I've looked at the shotwell, darktable, and rawtherapee packages regarding this. shotwell builds against the system libraw and does not have a bundled copy, so it's not vulnerable. darktable fixed this upstream in 1.2.3, which is the version included in Mageia 4, so only Mageia 3 is vulnerable. I've patched it in SVN and will push it soon. rawtherapee includes a copy of dcraw.c in their code, which they convert to C++ (dcraw.cc) before compiling it. The newest rawtherapee (4.0.12) has dcraw 9.19 and is still vulnerable to CVE-2013-1438. The patch we applied to the dcraw package applies fine to the C++ version dcraw.cc. I've added this in Cauldron SVN, and we should backport this version to Mageia 3 and Mageia 4. Also, both libraw and darktable contain old vulnerable copies of dcraw.c in their source trees, but they don't appear to actually build them.
Summary: libraw, libkdcraw, darktable, shotwell, dcraw, ufraw new security issues CVE-2013-1438 and CVE-2013-1439 => libraw, libkdcraw, darktable, xbmc, rawtherapee, dcraw, ufraw new security issues CVE-2013-1438 and CVE-2013-1439
XBMC includes an embedded copy of CxImage, which includes an embedded copy of libDCR, which is an old fork of dcraw.c. I've patched our packages by porting the fix from libraw and updated update request bug #12613, and sent the patch to libDCR and XBMC upstreams. The libDCR upstream (same as CxImage) may be dead, though.
Thanks Anssi. I've pushed my changes the build system (haven't backported rawtherapee yet). All packages in Cauldron should now be fixed. I'll file new bugs for darktable and rawtherapee.
Version: Cauldron => 4Depends on: (none) => 12613
Depends on: (none) => 12692
Depends on: (none) => 12693
I was able to backport the dcraw patch to the older versions in rawtherapee, so I patched it for Mageia 3 and Mageia 4, rather than updating it. Everything is now pushed to the build system and assigned to QA. Once the last of these updates is pushed, this bug can be closed.
All better now :o) Thanks everyone.
Status: NEW => RESOLVEDResolution: (none) => FIXED