Mageia Bugzilla – Bug 12074
libkdcraw - libraw security issues CVE-2013-1438 and CVE-2013-1439
Last modified: 2013-12-23 18:30:00 CET
Description of problem:
Patched packages uploaded for Mageia 3.
Updated libkdcraw packages fix libraw security vulnerabilities:
It was discovered that LibRaw incorrectly handled photo files. If a user or
automated system were tricked into processing a specially crafted photo
file, applications linked against LibRaw could be made to crash, resulting
in a denial of service (CVE-2013-1438, CVE-2013-1439).
Updated packages in core/updates_testing:
Steps to Reproduce:
I'd like to add one more URL to the references:
(In reply to David Walser from comment #1)
> Thanks Luc!
> I'd like to add one more URL to the references:
I didn't mention this reference because this Ubuntu update is for libkdcraw 4.8.5 which embeds libraw 0.14.4, while libkdcraw 4.10.5 embeds libraw 0.15.
So, I didn't use their patch, but I adapted upstream patch from the branch 0.15 https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad .
Thanks Luc. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1002714#c5
Does ufraw/libraw need to be updated also or instead for CVE-2013-1439?
Debian apear to be updating libraw, redhat ufraw.
(In reply to claire robinson from comment #3)
> Thanks Luc. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1002714#c5
> Does ufraw/libraw need to be updated also or instead for CVE-2013-1439?
> Debian apear to be updating libraw, redhat ufraw.
It seems that we have already updated libraw with libraw-0.14.7-5.2.mga3 (bug 11376). For ufraw, I don't know. I mainly contribute on kde stuff, and I don't have enough free time to help more, sorry.
> No PoC's.
> Procedure: https://bugs.mageia.org/show_bug.cgi?id=10768
Testing complete mga3 32
Testing complete mga3 64
Advisory uploaded without the ubuntu reference, let me know David please if you still want it there.
Could sysadmin please push from 3 core/updates_testing to updates
(In reply to claire robinson from comment #6)
> Testing complete mga3 64
> Advisory uploaded without the ubuntu reference, let me know David please if
> you still want it there.
It would be helpful, yes.
And you're right that there are other packages affected, we have Bug 11149 for that. Hopefully we'll have time to get it addressed soon.