Bug 12074 - libkdcraw - libraw security issues CVE-2013-1438 and CVE-2013-1439
: libkdcraw - libraw security issues CVE-2013-1438 and CVE-2013-1439
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: has_procedure advisory mga3-32-ok mga...
: validated_update
:
: 11149
  Show dependency treegraph
 
Reported: 2013-12-22 01:02 CET by Luc Menut
Modified: 2013-12-23 18:30 CET (History)
5 users (show)

See Also:
Source RPM: libkdcraw-4.10.5-1.1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description Luc Menut 2013-12-22 01:02:48 CET
Description of problem:
Patched packages uploaded for Mageia 3.

Advisory:
========================

Updated libkdcraw packages fix libraw security vulnerabilities:

It was discovered that LibRaw incorrectly handled photo files. If a user or
automated system were tricked into processing a specially crafted photo
file, applications linked against LibRaw could be made to crash, resulting
in a denial of service (CVE-2013-1438, CVE-2013-1439).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1439
========================

Updated packages in core/updates_testing:
========================
i586:
libkdcraw-common-4.10.5-1.2.mga3.noarch.rpm
libkdcraw-4.10.5-1.2.mga3.i586.rpm
libkdcraw22-4.10.5-1.2.mga3.i586.rpm
libkdcraw-devel-4.10.5-1.2.mga3.i586.rpm
libkdcraw-debug-4.10.5-1.2.mga3.i586.rpm

x86_64:
libkdcraw-common-4.10.5-1.2.mga3.noarch.rpm
libkdcraw-4.10.5-1.2.mga3.x86_64.rpm
lib64kdcraw22-4.10.5-1.2.mga3.x86_64.rpm
lib64kdcraw-devel-4.10.5-1.2.mga3.x86_64.rpm
lib64kdcraw-debug-4.10.5-1.2.mga3.x86_64.rpm

from SRPMS:
libkdcraw-4.10.5-1.2.mga3.src.rpm



Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-12-22 01:32:49 CET
Thanks Luc!

I'd like to add one more URL to the references:
http://www.ubuntu.com/usn/usn-1978-1/
Comment 2 Luc Menut 2013-12-22 01:55:59 CET
(In reply to David Walser from comment #1)
> Thanks Luc!
> 
> I'd like to add one more URL to the references:
> http://www.ubuntu.com/usn/usn-1978-1/

I didn't mention this reference because this Ubuntu update is for libkdcraw 4.8.5 which embeds libraw 0.14.4, while libkdcraw 4.10.5 embeds libraw 0.15.
So, I didn't use their patch, but I adapted upstream patch from the branch 0.15 https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad .
Comment 3 claire robinson 2013-12-23 10:57:04 CET
Thanks Luc. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1002714#c5

Does ufraw/libraw need to be updated also or instead for CVE-2013-1439?
Debian apear to be updating libraw, redhat ufraw.


No PoC's.
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10768
Comment 4 Luc Menut 2013-12-23 11:34:06 CET
(In reply to claire robinson from comment #3)
> Thanks Luc. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1002714#c5
> 
> Does ufraw/libraw need to be updated also or instead for CVE-2013-1439?
> Debian apear to be updating libraw, redhat ufraw.

It seems that we have already updated libraw with libraw-0.14.7-5.2.mga3 (bug 11376). For ufraw, I don't know. I mainly contribute on kde stuff, and I don't have enough free time to help more, sorry.

> 
> 
> No PoC's.
> Procedure: https://bugs.mageia.org/show_bug.cgi?id=10768

yep
Comment 5 claire robinson 2013-12-23 13:17:05 CET
Testing complete mga3 32
Comment 6 claire robinson 2013-12-23 13:30:18 CET
Testing complete mga3 64

Advisory uploaded without the ubuntu reference, let me know David please if you still want it there.

Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 7 David Walser 2013-12-23 14:00:51 CET
(In reply to claire robinson from comment #6)
> Testing complete mga3 64
> 
> Advisory uploaded without the ubuntu reference, let me know David please if
> you still want it there.

It would be helpful, yes.

And you're right that there are other packages affected, we have Bug 11149 for that.  Hopefully we'll have time to get it addressed soon.
Comment 8 claire robinson 2013-12-23 14:03:37 CET
Added now.
Comment 9 Thomas Backlund 2013-12-23 18:30:00 CET

Update pushed:
http://advisories.mageia.org/MGASA-2013-0385.html

Note You need to log in before you can comment on or make changes to this bug.