Bug 11149 - libraw, libkdcraw, darktable, xbmc, rawtherapee, dcraw, ufraw new security issues CVE-2013-1438 and CVE-2013-1439
Summary: libraw, libkdcraw, darktable, xbmc, rawtherapee, dcraw, ufraw new security is...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/566156/
Whiteboard: MGA3TOO
Depends on: 11376 12074 12125 12613 12692 12693
  Show dependency treegraph
Reported: 2013-09-04 03:07 CEST by David Walser
Modified: 2014-02-17 01:39 CET (History)
6 users (show)

See Also:
Source RPM: libraw-0.14.7-5.mga3.src.rpm
Status comment:


Description David Walser 2013-09-04 03:07:29 CEST
libraw has released version 0.15.4 on August 28:

According to this message on oss-security, it fixes two security issues:

It claims that libkdcraw and darktable are also vulnerable to these, due to the embedded copy of libraw they include.  It also claims that shotwell contains an embedded copy of libraw, which is news to me, and could mean that it is vulnerable to CVE-2013-2126 as well, which we fixed in Bug 10346.  It also claims that dcraw, which libraw was based on, is vulnerable, and that ufraw, which is based on dcraw, is also vulnerable.

libraw 0.15.4 has already been uploaded in Cauldron.


Steps to Reproduce:
David Walser 2013-09-04 03:08:14 CEST

CC: (none) => balcaen.john, jani.valimaa, lmenut, mageia, nicolas.lecureuil
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-09-10 18:31:26 CEST
Fedora has issued an advisory for libraw on August 30:

URL: (none) => http://lwn.net/Vulnerabilities/566156/

Comment 2 David Walser 2013-10-02 00:52:23 CEST
Ubuntu has issued an advisory for libkdcraw on September 30:
Comment 3 David Walser 2013-10-04 19:30:38 CEST
Judging from this, xbmc and rawtherapee may also be affected:

CC: (none) => anssi.hannula, fundawang

David Walser 2013-10-04 19:32:13 CEST

Severity: normal => major

David Walser 2013-10-04 19:39:56 CEST

Depends on: (none) => 11376

David Walser 2013-11-21 23:05:17 CET

Blocks: (none) => 11726

Comment 4 David Walser 2013-11-22 16:12:41 CET
Removing Mageia 2 from the whiteboard due to EOL.


Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO

Comment 5 Funda Wang 2013-11-24 16:56:28 CET
set as mga3 only.

Blocks: 11726 => (none)
Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 6 David Walser 2013-11-24 16:59:02 CET
This hasn't been fully addressed in Cauldron yet.

Blocks: (none) => 11726
Version: 3 => Cauldron
Whiteboard: (none) => MGA3TOO

Luc Menut 2013-12-22 01:03:37 CET

Depends on: (none) => 12074

Comment 8 Luc Menut 2013-12-22 01:12:47 CET

- Cauldron: fixed with libkdcraw-4.11.4-2.mga4

- Mga 3: fixed with libkdcraw-4.10.5-1.2.mga3 in updates_testing
  security update request: bug 12074
David Walser 2013-12-27 14:46:06 CET

Depends on: (none) => 12125

Comment 9 David Walser 2013-12-27 14:48:07 CET
dcraw and ufraw have now been fixed in:

I haven't seen patches out there for the other affected packages, so I don't anticipate being able to fix them before Mageia 4, if at all.  Therefore, removing from the security updates tracker for Mageia 4.

Blocks: 11726 => (none)

Comment 10 David Walser 2014-02-05 22:23:04 CET
Anssi, Damien, and Jani, maybe we should update Mageia 3 and Mageia 4 to newer versions of xbmc, darktable, and shotwell (where applicable).
Comment 11 Manuel Hiebel 2014-02-05 22:36:36 CET
xbmc is on qa https://bugs.mageia.org/show_bug.cgi?id=12613 ;)
Comment 12 David Walser 2014-02-05 22:55:29 CET
Funda, similarly, we should probably update rawtherapee to the newest upstream version 4.0.12.
Comment 13 Anssi Hannula 2014-02-05 23:12:16 CET
Hmh I had somehow missed this. Quick look suggests XBMC upstream is still vulnerable, I'll have to take a closer look ASAP.
Luc Menut 2014-02-05 23:21:53 CET

CC: lmenut => (none)

Comment 14 David Walser 2014-02-09 20:02:18 CET
I've looked at the shotwell, darktable, and rawtherapee packages regarding this.

shotwell builds against the system libraw and does not have a bundled copy, so it's not vulnerable.

darktable fixed this upstream in 1.2.3, which is the version included in Mageia 4, so only Mageia 3 is vulnerable.  I've patched it in SVN and will push it soon.

rawtherapee includes a copy of dcraw.c in their code, which they convert to C++ (dcraw.cc) before compiling it.  The newest rawtherapee (4.0.12) has dcraw 9.19 and is still vulnerable to CVE-2013-1438.  The patch we applied to the dcraw package applies fine to the C++ version dcraw.cc.  I've added this in Cauldron SVN, and we should backport this version to Mageia 3 and Mageia 4.

Also, both libraw and darktable contain old vulnerable copies of dcraw.c in their source trees, but they don't appear to actually build them.

Summary: libraw, libkdcraw, darktable, shotwell, dcraw, ufraw new security issues CVE-2013-1438 and CVE-2013-1439 => libraw, libkdcraw, darktable, xbmc, rawtherapee, dcraw, ufraw new security issues CVE-2013-1438 and CVE-2013-1439

Comment 15 Anssi Hannula 2014-02-09 20:06:53 CET
XBMC includes an embedded copy of CxImage, which includes an embedded copy of libDCR, which is an old fork of dcraw.c.

I've patched our packages by porting the fix from libraw and updated update request bug #12613, and sent the patch to libDCR and XBMC upstreams. The libDCR upstream (same as CxImage) may be dead, though.
Comment 16 David Walser 2014-02-09 20:18:12 CET
Thanks Anssi.  I've pushed my changes the build system (haven't backported rawtherapee yet).  All packages in Cauldron should now be fixed.  I'll file new bugs for darktable and rawtherapee.

Version: Cauldron => 4
Depends on: (none) => 12613

David Walser 2014-02-09 20:26:22 CET

Depends on: (none) => 12692

David Walser 2014-02-09 21:08:00 CET

Depends on: (none) => 12693

Comment 17 David Walser 2014-02-09 21:11:40 CET
I was able to backport the dcraw patch to the older versions in rawtherapee, so I patched it for Mageia 3 and Mageia 4, rather than updating it.  Everything is now pushed to the build system and assigned to QA.  Once the last of these updates is pushed, this bug can be closed.
Comment 18 David Walser 2014-02-17 01:39:55 CET
All better now :o)  Thanks everyone.

Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.