Description of problem: Patched packages uploaded for Mageia 3. Advisory: ======================== Updated libkdcraw packages fix libraw security vulnerabilities: It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, applications linked against LibRaw could be made to crash, resulting in a denial of service (CVE-2013-1438, CVE-2013-1439). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1439 ======================== Updated packages in core/updates_testing: ======================== i586: libkdcraw-common-4.10.5-1.2.mga3.noarch.rpm libkdcraw-4.10.5-1.2.mga3.i586.rpm libkdcraw22-4.10.5-1.2.mga3.i586.rpm libkdcraw-devel-4.10.5-1.2.mga3.i586.rpm libkdcraw-debug-4.10.5-1.2.mga3.i586.rpm x86_64: libkdcraw-common-4.10.5-1.2.mga3.noarch.rpm libkdcraw-4.10.5-1.2.mga3.x86_64.rpm lib64kdcraw22-4.10.5-1.2.mga3.x86_64.rpm lib64kdcraw-devel-4.10.5-1.2.mga3.x86_64.rpm lib64kdcraw-debug-4.10.5-1.2.mga3.x86_64.rpm from SRPMS: libkdcraw-4.10.5-1.2.mga3.src.rpm Reproducible: Steps to Reproduce:
Blocks: (none) => 11149
CC: (none) => balcaen.john, mageia
Thanks Luc! I'd like to add one more URL to the references: http://www.ubuntu.com/usn/usn-1978-1/
(In reply to David Walser from comment #1) > Thanks Luc! > > I'd like to add one more URL to the references: > http://www.ubuntu.com/usn/usn-1978-1/ I didn't mention this reference because this Ubuntu update is for libkdcraw 4.8.5 which embeds libraw 0.14.4, while libkdcraw 4.10.5 embeds libraw 0.15. So, I didn't use their patch, but I adapted upstream patch from the branch 0.15 https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad .
Thanks Luc. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1002714#c5 Does ufraw/libraw need to be updated also or instead for CVE-2013-1439? Debian apear to be updating libraw, redhat ufraw. No PoC's. Procedure: https://bugs.mageia.org/show_bug.cgi?id=10768
(In reply to claire robinson from comment #3) > Thanks Luc. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1002714#c5 > > Does ufraw/libraw need to be updated also or instead for CVE-2013-1439? > Debian apear to be updating libraw, redhat ufraw. It seems that we have already updated libraw with libraw-0.14.7-5.2.mga3 (bug 11376). For ufraw, I don't know. I mainly contribute on kde stuff, and I don't have enough free time to help more, sorry. > > > No PoC's. > Procedure: https://bugs.mageia.org/show_bug.cgi?id=10768 yep
Testing complete mga3 32
Whiteboard: (none) => has_procedure mga3-32-ok
Testing complete mga3 64 Advisory uploaded without the ubuntu reference, let me know David please if you still want it there. Validating. Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-32-ok => has_procedure advisory mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
(In reply to claire robinson from comment #6) > Testing complete mga3 64 > > Advisory uploaded without the ubuntu reference, let me know David please if > you still want it there. It would be helpful, yes. And you're right that there are other packages affected, we have Bug 11149 for that. Hopefully we'll have time to get it addressed soon.
CC: (none) => luigiwalser
Added now.
Update pushed: http://advisories.mageia.org/MGASA-2013-0385.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED