+++ This bug was initially created as a clone of Bug #15910 +++ An advisory has been issued today (May 11): http://www.ocert.org/advisories/ocert-2015-006.html Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated dcraw and ufraw packages fix security vulnerability: The dcraw tool suffers from an integer overflow condition which lead to a buffer overflow. The vulnerability concerns the 'len' variable, parsed without validation from opened images, used in the ljpeg_start() function. A maliciously crafted raw image file can be used to trigger the vulnerability, causing a Denial of Service condition (CVE-2015-3885). The ufraw package also contains the affected code. The dcraw and ufraw packages have been patched to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885 http://www.ocert.org/advisories/ocert-2015-006.html ======================== Updated packages in core/updates_testing: ======================== dcraw-9.19-3.1.mga4 dcraw-gimp2.0-9.19-3.1.mga4 ufraw-0.19.2-5.1.mga4 ufraw-batch-0.19.2-5.1.mga4 ufraw-gimp-0.19.2-5.1.mga4 from SRPMS: dcraw-9.19-3.1.mga4.src.rpm ufraw-0.19.2-5.1.mga4.src.rpm
Can be tested by opening various raw type images. eg. $ ufraw opens a file chooser dialogue and displays the images chosen. $ dcraw -i *.CR2 *.NEF _MG_8882.CR2 is a Canon EOS 30D image. RAW_CANON_450D.CR2 is a Canon EOS 450D image. RAW_NIKON_D100.NEF is a Nikon D100 image. or with -v to display more image info.
Whiteboard: (none) => has_procedure
Testing complete mga4 64, as comment 1.
Whiteboard: has_procedure => has_procedure mga4-64-ok
Testing complete mga4 32
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0225.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/644511/