Fedora has issued an advisory on December 7: https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173363.html Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libraw packages fix security vulnerabilities: It was found that smal_decode_segment function do not handle index carefully, which may cause index overflow (CVE-2015-8366). It was found that phase_one_correct function does not handle memory objectâs initialization correctly, which may have unspecified impact (CVE-2015-8367). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367 https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173363.html ======================== Updated packages in core/updates_testing: ======================== libraw-tools-0.16.2-1.1.mga5 libraw10-0.16.2-1.1.mga5 libraw_r10-0.16.2-1.1.mga5 libraw-devel-0.16.2-1.1.mga5 from libraw-0.16.2-1.1.mga5.src.rpm Reproducible: Steps to Reproduce:
libraw10 used by shotwell and nomacs, libraw_r10 used by entangle and luminance-hdr.
In VirtualBox, M5, KDE, 32-bit Sample .CDR RAW images were created with my Canon DSLR Package(s) under test: libraw10 libraw_r10 default install of libraw10 & libraw_r10 [root@localhost wilcal]# urpmi libraw10 Package libraw10-0.16.2-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libraw_r10 Package libraw_r10-0.16.2-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi nomacs Package nomacs-1.6.4-4.mga5.i586 is already installed [root@localhost wilcal]# urpmi luminance-hdr Package luminance-hdr-2.4.0-6.mga5.i586 is already installed I can open a .CDR image with either nomacs or luminance-hdr. I can minipulate the images, save them as a png or jpg file, then reopen them with gimp. install libraw10 & libraw_r10 from updates_testing [root@localhost wilcal]# urpmi libraw10 Package libraw10-0.16.2-1.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libraw_r10 Package libraw_r10-0.16.2-1.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi nomacs Package nomacs-1.6.4-4.mga5.i586 is already installed [root@localhost wilcal]# urpmi luminance-hdr Package luminance-hdr-2.4.0-6.mga5.i586 is already installed I can open a .CDR image with either nomacs or luminance-hdr. I can minipulate the images, save them as a png or jpg file, then reopen them with gimp.
CC: (none) => wilcal.intWhiteboard: (none) => MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Sample .CDR RAW images were created with my Canon DSLR Package(s) under test: lib64raw10 lib64raw_r10 default install of lib64raw10 & lib64raw_r10 [root@localhost wilcal]# urpmi lib64raw10 Package lib64raw10-0.16.2-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64raw_r10 Package lib64raw_r10-0.16.2-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi nomacs Package nomacs-1.6.4-4.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi luminance-hdr Package luminance-hdr-2.4.0-6.mga5.x86_64 is already installed I can open a .CDR image with either nomacs or luminance-hdr. I can minipulate the images, save them as a png or jpg file, then reopen them with gimp. install lib64raw10 & lib64raw_r10 from updates_testing [root@localhost wilcal]# urpmi lib64raw10 Package lib64raw10-0.16.2-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64raw_r10 Package lib64raw_r10-0.16.2-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi nomacs Package nomacs-1.6.4-4.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi luminance-hdr Package luminance-hdr-2.4.0-6.mga5.x86_64 is already installed I can open a .CDR image with either nomacs or luminance-hdr. I can minipulate the images, save them as a png or jpg file, then reopen them with gimp.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0469.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
MGA5-32 on Asus A6000VM Xfce No installation issues. Used a few raw pictures. At CLI: $ raw-identify P7212389.ORF P7212389.ORF is a Olympus E-500 image. and $ strace -o libraw.txt nomacs P7212389.ORF libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile new suffix: .jpg *.jpeg) I could save the image... Resulting jpg file OK.
CC: (none) => herman.viaene
Sorry, update on wrong bug.