12125 – dcraw and ufraw new security issue CVE-2013-1438

Bug 12125 - dcraw and ufraw new security issue CVE-2013-1438

Summary: dcraw and ufraw new security issue CVE-2013-1438

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Articles/565560/
Whiteboard:	advisory MGA3-32-OK MGA3-64-OK
Keywords:	validated_update

Depends on:
Blocks:	11149
	Show dependency tree / graph

Reported:	2013-12-27 14:45 CET by David Walser
Modified:	2014-01-17 01:43 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	dcraw, ufraw
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-12-27 14:45:50 CET

Fedora has issued advisories for dcraw and ufraw on December 7:
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124176.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124183.html

Patched packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated dcraw and ufraw packages fix security vulnerability:

Due to flaws in the embedded copy of LibRaw in dcraw and ufraw, corrupt input
files might trigger a division by zero, an infinite loop, or a null pointer
dereference (CVE-2013-1438).

The dcraw and ufraw packages have been updated to their newest versions and
patched to fix the flaws in the embedded LibRaw library.  They have also been
patched to use the more secure lcms2 color management library, rather than the
unmaintained lcms library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124176.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124183.html
========================

Updated packages in core/updates_testing:
========================
dcraw-9.19-1.mga3
dcraw-gimp2.0-9.19-1.mga3
ufraw-0.19.2-5.mga3
ufraw-batch-0.19.2-5.mga3
ufraw-gimp-0.19.2-5.mga3

from SRPMS:
dcraw-9.19-1.mga3.src.rpm
ufraw-0.19.2-5.mga3.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2013-12-27 14:46:06 CET

Blocks: (none) => 11149

Dave Hodgins 2014-01-02 18:46:40 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 Carolyn Rowse 2014-01-10 09:31:21 CET

I'll have a look at this one over the weekend on both archs.

CC: (none) => isolde

Comment 2 Carolyn Rowse 2014-01-11 19:09:27 CET

Couldn't find a POC but tried with fotoxx on 32-bit, worked fine before and after update.

Tested with Gimp as well, but to do that it had to uninstall fotoxx and ufraw and also there's a conflict between dcraw-gimp2.0-9.19-1.mga3 and ufraw-gimp-0.19.2-5.mga3 so I had to test those separately.

Aside from that, seems fine with 32-bit, will test 64-bit as well.

Whiteboard: advisory => advisory MGA3-32-OK

Comment 3 Carolyn Rowse 2014-01-11 22:08:47 CET

Works fine in Fotoxx and Gimp after update on 64-bit as well.

Update validated.

See description for advisory and SRPMs.

Could sysadmin please push from core/updates_testing to core/updates.

Thank you.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: advisory MGA3-32-OK => advisory MGA3-32-OK MGA3-64-OK

Comment 4 Thomas Backlund 2014-01-17 01:43:03 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0011.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.