Bug 12074 - libkdcraw - libraw security issues CVE-2013-1438 and CVE-2013-1439
Summary: libkdcraw - libraw security issues CVE-2013-1438 and CVE-2013-1439
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure advisory mga3-32-ok mga...
Keywords: validated_update
Depends on:
Blocks: 11149
  Show dependency treegraph
 
Reported: 2013-12-22 01:02 CET by Luc Menut
Modified: 2013-12-23 18:30 CET (History)
5 users (show)

See Also:
Source RPM: libkdcraw-4.10.5-1.1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description Luc Menut 2013-12-22 01:02:48 CET
Description of problem:
Patched packages uploaded for Mageia 3.

Advisory:
========================

Updated libkdcraw packages fix libraw security vulnerabilities:

It was discovered that LibRaw incorrectly handled photo files. If a user or
automated system were tricked into processing a specially crafted photo
file, applications linked against LibRaw could be made to crash, resulting
in a denial of service (CVE-2013-1438, CVE-2013-1439).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1439
========================

Updated packages in core/updates_testing:
========================
i586:
libkdcraw-common-4.10.5-1.2.mga3.noarch.rpm
libkdcraw-4.10.5-1.2.mga3.i586.rpm
libkdcraw22-4.10.5-1.2.mga3.i586.rpm
libkdcraw-devel-4.10.5-1.2.mga3.i586.rpm
libkdcraw-debug-4.10.5-1.2.mga3.i586.rpm

x86_64:
libkdcraw-common-4.10.5-1.2.mga3.noarch.rpm
libkdcraw-4.10.5-1.2.mga3.x86_64.rpm
lib64kdcraw22-4.10.5-1.2.mga3.x86_64.rpm
lib64kdcraw-devel-4.10.5-1.2.mga3.x86_64.rpm
lib64kdcraw-debug-4.10.5-1.2.mga3.x86_64.rpm

from SRPMS:
libkdcraw-4.10.5-1.2.mga3.src.rpm



Reproducible: 

Steps to Reproduce:
Luc Menut 2013-12-22 01:03:37 CET

Blocks: (none) => 11149

Luc Menut 2013-12-22 01:16:22 CET

CC: (none) => balcaen.john, mageia

Comment 1 David Walser 2013-12-22 01:32:49 CET
Thanks Luc!

I'd like to add one more URL to the references:
http://www.ubuntu.com/usn/usn-1978-1/
Comment 2 Luc Menut 2013-12-22 01:55:59 CET
(In reply to David Walser from comment #1)
> Thanks Luc!
> 
> I'd like to add one more URL to the references:
> http://www.ubuntu.com/usn/usn-1978-1/

I didn't mention this reference because this Ubuntu update is for libkdcraw 4.8.5 which embeds libraw 0.14.4, while libkdcraw 4.10.5 embeds libraw 0.15.
So, I didn't use their patch, but I adapted upstream patch from the branch 0.15 https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad .
Comment 3 claire robinson 2013-12-23 10:57:04 CET
Thanks Luc. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1002714#c5

Does ufraw/libraw need to be updated also or instead for CVE-2013-1439?
Debian apear to be updating libraw, redhat ufraw.


No PoC's.
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10768
Comment 4 Luc Menut 2013-12-23 11:34:06 CET
(In reply to claire robinson from comment #3)
> Thanks Luc. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1002714#c5
> 
> Does ufraw/libraw need to be updated also or instead for CVE-2013-1439?
> Debian apear to be updating libraw, redhat ufraw.

It seems that we have already updated libraw with libraw-0.14.7-5.2.mga3 (bug 11376). For ufraw, I don't know. I mainly contribute on kde stuff, and I don't have enough free time to help more, sorry.

> 
> 
> No PoC's.
> Procedure: https://bugs.mageia.org/show_bug.cgi?id=10768

yep
Comment 5 claire robinson 2013-12-23 13:17:05 CET
Testing complete mga3 32

Whiteboard: (none) => has_procedure mga3-32-ok

Comment 6 claire robinson 2013-12-23 13:30:18 CET
Testing complete mga3 64

Advisory uploaded without the ubuntu reference, let me know David please if you still want it there.

Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 7 David Walser 2013-12-23 14:00:51 CET
(In reply to claire robinson from comment #6)
> Testing complete mga3 64
> 
> Advisory uploaded without the ubuntu reference, let me know David please if
> you still want it there.

It would be helpful, yes.

And you're right that there are other packages affected, we have Bug 11149 for that.  Hopefully we'll have time to get it addressed soon.

CC: (none) => luigiwalser

Comment 8 claire robinson 2013-12-23 14:03:37 CET
Added now.
Comment 9 Thomas Backlund 2013-12-23 18:30:00 CET

Update pushed:
http://advisories.mageia.org/MGASA-2013-0385.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.