Bug 11376 - libraw new security issues CVE-2013-1438 and CVE-2013-1439
: libraw new security issues CVE-2013-1438 and CVE-2013-1439
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/566156/
: MGA2TOO MGA3-32-OK MGA3-64-OK MGA2-32...
: validated_update
:
: 11149
  Show dependency treegraph
 
Reported: 2013-10-04 19:39 CEST by David Walser
Modified: 2013-10-10 00:55 CEST (History)
3 users (show)

See Also:
Source RPM: libraw-0.14.7-5.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-10-04 19:39:43 CEST
Ubuntu has issued an advisory on September 23:
http://www.ubuntu.com/usn/usn-1964-1/

Patched packages uploaded for Mageia 2 and Mageia 3.

Cauldron was fixed with the updated to 0.15.4:
http://www.libraw.org/news/libraw-0-15-4
http://openwall.com/lists/oss-security/2013/08/29/3

Advisory:
========================

Updated libraw packages fix security vulnerabilities:

It was discovered that LibRaw incorrectly handled photo files. If a user or
automated system were tricked into processing a specially crafted photo
file, applications linked against LibRaw could be made to crash, resulting
in a denial of service (CVE-2013-1438, CVE-2013-1439).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1439
http://www.ubuntu.com/usn/usn-1964-1/
========================

Updated packages in core/updates_testing:
========================
libraw-tools-0.14.5-1.2.mga2
libraw5-0.14.5-1.2.mga2
libraw_r5-0.14.5-1.2.mga2
libraw-devel-0.14.5-1.2.mga2
libraw-tools-0.14.7-5.2.mga3
libraw5-0.14.7-5.2.mga3
libraw_r5-0.14.7-5.2.mga3
libraw-devel-0.14.7-5.2.mga3

from SRPMS:
libraw-0.14.5-1.2.mga2.src.rpm
libraw-0.14.7-5.2.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 William Kenney 2013-10-06 19:04:11 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
libraw
Testing application:
dcraw   ( dcraw uses libraw to convert RAW images )

( Caution ) converting a Canon 25MB .CR2 RAW file to a tiff file requires
100% CPU processing power and creates a 102MB tiff file. Many image
display apps won't handle such large image files.


[root@localhost wilcal]# urpmi libraw5
Package libraw5-0.14.7-5.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi dcraw
Package dcraw-9.12-4.mga3.i586 is already installed
Converting a Cannon .CR2 image to a .tiff file using dcraw is successful

Install libraw updates from core updates_testing:

[root@localhost wilcal]# urpmi libraw5 dcraw
Packages dcraw-9.12-4.mga3.i586, libraw5-0.14.7-5.2.mga3.i586 are already installed
Converting a Cannon .CR2 image to a .tiff file using dcraw is successful


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 2 William Kenney 2013-10-06 19:33:46 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
libraw libraw_r5
Testing application:
dcraw   ( dcraw uses libraw to convert RAW images )

[root@localhost wilcal]# urpmi libraw5
Package libraw5-0.14.7-5.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi libraw_r5
Package libraw_r5-0.14.7-5.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi dcraw
Package dcraw-9.12-4.mga3.x86_64 is already installed
Converting a Cannon .CR2 image to a .tiff file using dcraw is successful

Install libraw & libraw_r5 updates from core updates_testing:

[root@localhost wilcal]# urpmi libraw5
Package libraw5-0.14.7-5.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi libraw_r5
Package libraw_r5-0.14.7-5.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi dcraw
Package dcraw-9.12-4.mga3.x86_64 is already installed
Converting a Cannon .CR2 image to a .tiff file using dcraw is successful


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 3 William Kenney 2013-10-06 19:42:13 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
libraw libraw_r5
Testing application:
dcraw   ( dcraw uses libraw to convert RAW images )


Install libraw updates from core updates_testing:

[root@localhost wilcal]# urpmi libraw5
Package libraw5-0.14.7-5.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi libraw_r5
Package libraw_r5-0.14.7-5.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi dcraw
Package dcraw-9.12-4.mga3.i586 is already installed
Converting a Cannon .CR2 image to a .tiff file using dcraw is successful


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 4 William Kenney 2013-10-06 20:00:16 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
libraw5 libraw_r5
Testing application:
dcraw   ( dcraw uses libraw to convert RAW images )


[root@localhost wilcal]# urpmi libraw5
Package libraw5-0.14.5-1.1.mga2.i586 is already installed
[root@localhost wilcal]# urpmi libraw_r5
Package libraw_r5-0.14.5-1.1.mga2.i586 is already installed
[root@localhost wilcal]# urpmi dcraw
Package dcraw-9.12-1.mga2.i586 is already installed
Converting a Cannon .CR2 image to a .tiff file using dcraw is successful

Install libraw updates from core updates_testing:

[root@localhost wilcal]# urpmi libraw5
Package libraw5-0.14.5-1.2.mga2.i586 is already installed
[root@localhost wilcal]# urpmi libraw_r5
Package libraw_r5-0.14.5-1.2.mga2.i586 is already installed
[root@localhost wilcal]# urpmi dcraw
Package dcraw-9.12-1.mga2.i586 is already installed
Converting a Cannon .CR2 image to a .tiff file using dcraw is successful


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 5 William Kenney 2013-10-06 20:09:36 CEST
Commnet #2 should read:

In VirtualBox, M3, KDE, 64-bit
Comment 6 William Kenney 2013-10-06 20:20:22 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
libraw5 libraw_r5
Testing application:
dcraw   ( dcraw uses libraw to convert RAW images )


[root@localhost wilcal]# urpmi libraw5
Package libraw5-0.14.5-1.1.mga2.i586 is already installed
[root@localhost wilcal]# urpmi libraw_r5
Package libraw_r5-0.14.5-1.1.mga2.i586 is already installed
[root@localhost wilcal]# urpmi dcraw
Package dcraw-9.12-1.mga2.x86_64 is already installed
Converting a Cannon .CR2 image to a .tiff file using dcraw is successful

Install libraw updates from core updates_testing:

[root@localhost wilcal]# urpmi libraw5
Package libraw5-0.14.5-1.2.mga2.i586 is already installed
[root@localhost wilcal]# urpmi libraw_r5
Package libraw_r5-0.14.5-1.2.mga2.i586 is already installed
[root@localhost wilcal]# urpmi dcraw
Package dcraw-9.12-1.mga2.x86_64 is already installed
Converting a Cannon .CR2 image to a .tiff file using dcraw is successful


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 7 William Kenney 2013-10-06 20:22:16 CEST
Testing complete for mga2 32 & 64
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks
Comment 8 William Kenney 2013-10-06 20:22:50 CEST
Testing complete for mga3 32 & 64
Comment 9 David Walser 2013-10-06 23:49:39 CEST
Thanks William.

Removing the validated tag for the moment, as the advisory has not been uploaded in SVN yet.
Comment 10 claire robinson 2013-10-07 08:02:36 CEST
Well done William. Advisory uploaded.

Re-validating. Could somebody push to updates.

Thanks
Comment 11 Thomas Backlund 2013-10-10 00:55:13 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0301.html

Note You need to log in before you can comment on or make changes to this bug.