Fedora has issued advisories for dcraw and ufraw on December 7: https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124176.html https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124183.html Patched packages uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated dcraw and ufraw packages fix security vulnerability: Due to flaws in the embedded copy of LibRaw in dcraw and ufraw, corrupt input files might trigger a division by zero, an infinite loop, or a null pointer dereference (CVE-2013-1438). The dcraw and ufraw packages have been updated to their newest versions and patched to fix the flaws in the embedded LibRaw library. They have also been patched to use the more secure lcms2 color management library, rather than the unmaintained lcms library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438 https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124176.html https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124183.html ======================== Updated packages in core/updates_testing: ======================== dcraw-9.19-1.mga3 dcraw-gimp2.0-9.19-1.mga3 ufraw-0.19.2-5.mga3 ufraw-batch-0.19.2-5.mga3 ufraw-gimp-0.19.2-5.mga3 from SRPMS: dcraw-9.19-1.mga3.src.rpm ufraw-0.19.2-5.mga3.src.rpm Reproducible: Steps to Reproduce:
Blocks: (none) => 11149
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
I'll have a look at this one over the weekend on both archs.
CC: (none) => isolde
Couldn't find a POC but tried with fotoxx on 32-bit, worked fine before and after update. Tested with Gimp as well, but to do that it had to uninstall fotoxx and ufraw and also there's a conflict between dcraw-gimp2.0-9.19-1.mga3 and ufraw-gimp-0.19.2-5.mga3 so I had to test those separately. Aside from that, seems fine with 32-bit, will test 64-bit as well.
Whiteboard: advisory => advisory MGA3-32-OK
Works fine in Fotoxx and Gimp after update on 64-bit as well. Update validated. See description for advisory and SRPMs. Could sysadmin please push from core/updates_testing to core/updates. Thank you.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: advisory MGA3-32-OK => advisory MGA3-32-OK MGA3-64-OK
Update pushed: http://advisories.mageia.org/MGASA-2014-0011.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED