Bug 12693 - rawtherapee new security issue CVE-2013-1438
Summary: rawtherapee new security issue CVE-2013-1438
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Articles/565560/
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
Keywords: validated_update
Depends on:
Blocks: 11149
  Show dependency treegraph
 
Reported: 2014-02-09 21:07 CET by David Walser
Modified: 2014-02-17 01:35 CET (History)
7 users (show)

See Also:
Source RPM: rawtherapee-4.0.12-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-02-09 21:07:44 CET
As was reported in Bug 11149, rawtherapee contains an embedded of dcraw, which is vulnerable to security issue CVE-2013-1438.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated rawtherapee package fixes security vulnerability:

Due to flaws in the embedded copy of dcraw in rawtherapee, corrupt input
files might trigger a division by zero, an infinite loop, or a null pointer
dereference (CVE-2013-1438).

References:
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124176.html
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1438.html
========================

Updated packages in core/updates_testing:
========================
rawtherapee-4.0.7-3.1.mga3
rawtherapee-4.0.11-2.1.mga4

from SRPMS:
rawtherapee-4.0.7-3.1.mga3.src.rpm
rawtherapee-4.0.11-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-09 21:08:00 CET

Version: Cauldron => 4
Blocks: (none) => 11149
Whiteboard: (none) => MGA3TOO

Comment 1 Alex Loginov 2014-02-12 13:41:48 CET
Error: user's profiles' directory "/home/user/.config/RawTherapee4.0.11/profiles" creation failed
But this directory was created succesfully in real.
I tested in mga4-32

CC: (none) => loginov_alex

Comment 2 Samuel Verschelde 2014-02-12 13:43:34 CET
(In reply to Alex Loginov from comment #1)
> Error: user's profiles' directory
> "/home/user/.config/RawTherapee4.0.11/profiles" creation failed
> But this directory was created succesfully in real.
> I tested in mga4-32

Can you describe the steps that make this error message appear?

CC: (none) => stormi

Comment 3 Alex Loginov 2014-02-12 13:58:00 CET
I installed rawtherapee-4.0.11-2.1.mga4 and ran the first time. No error when the second start.
Comment 4 Carolyn Rowse 2014-02-15 16:53:04 CET
Testing Mga3 32-bit.

CC: (none) => isolde

Comment 5 Carolyn Rowse 2014-02-15 17:37:04 CET
Tested some of the usual photo editing features in Mga3 32-bit, such as exposure, white balance, colour channels, hue, saturation, cropping, saving in different formats.

No problems noticed before or after update.

Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK

Comment 6 Philippe Makowski 2014-02-16 11:37:42 CET
Tested some of the usual photo editing features in Mga3 32-bit, such as exposure, white balance, colour channels, hue, saturation, cropping, saving in different formats.
No error at first or second start.

No problems noticed before or after update.
Mga4-64

CC: (none) => makowski.mageia
Whiteboard: MGA3TOO MGA3-32-OK => MGA3TOO MGA3-32-OK MGA4-64-OK

Comment 7 William Kenney 2014-02-16 22:12:28 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
rawtherapee

default install of rawtherapee

[root@localhost wilcal]# urpmi rawtherapee
Package rawtherapee-4.0.7-3.mga3.x86_64 is already installed

RAW test images from:  http://www.rawsamples.ch

Opens RAW pics, can modify and save pics in jpeg format

install rawtherapee from updates_testing

[root@localhost wilcal]# urpmi rawtherapee
Package rawtherapee-4.0.7-3.1.mga3.x86_64 is already installed

Opens RAW pics, can modify and save pics in jpeg format

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

CC: (none) => wilcal.int
Whiteboard: MGA3TOO MGA3-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK

Comment 8 William Kenney 2014-02-16 22:32:01 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
rawtherapee

default install of rawtherapee

[root@localhost wilcal]# urpmi rawtherapee
Package rawtherapee-4.0.11-2.mga4.i586 is already installed

RAW test images from:  http://www.rawsamples.ch

Opens RAW pics, can modify and save pics in jpeg format

install rawtherapee from updates_testing

[root@localhost wilcal]# urpmi rawtherapee
Package rawtherapee-4.0.11-2.1.mga4.i586 is already installed

Opens RAW pics, can modify and save pics in jpeg format

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 9 William Kenney 2014-02-16 22:32:22 CET
If everybody's happy, this one's a go.
Comment 10 Thomas Backlund 2014-02-17 01:11:07 CET
Validating and advisory uploaded

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
CC: (none) => tmb, sysadmin-bugs

Comment 11 Thomas Backlund 2014-02-17 01:35:11 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0081.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.