openSUSE has issued an advisory on May 31: https://lists.opensuse.org/opensuse-updates/2017-05/msg00111.html The issues were fixed upstream in 0.18.2 (already in Cauldron).
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Patched package uploaded for Mageia 5. Advisory: ======================== Updated libraw packages fix security vulnerabilities: A memory corruption in parse_tiff_ifd() function (CVE-2017-6886). A memory corruption via e.g. a specially crafted KDC file parse_tiff_ifd() (CVE-2017-6887). An integer overflow error within the "foveon_load_camf()" function (CVE-2017-6889). A boundary error within the "foveon_load_camf()" function (CVE-2017-6890). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6886 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6887 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6889 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6890 https://lists.opensuse.org/opensuse-updates/2017-05/msg00111.html ======================== Updated packages in core/updates_testing: ======================== libraw-tools-0.16.2-1.2.mga5 libraw10-0.16.2-1.2.mga5 libraw_r10-0.16.2-1.2.mga5 libraw-devel-0.16.2-1.2.mga5 from libraw-0.16.2-1.2.mga5.src.rpm
Assignee: pkg-bugs => qa-bugsSummary: libraw new security issues CVE-2017-688[6-9] and CVE-2017-6890 => libraw new security issues CVE-2017-688[679] and CVE-2017-6890
MGA5-32 on Asus A6000VM Xfce No installation issues. Used a few raw pictures. At CLI: $ raw-identify P7212389.ORF P7212389.ORF is a Olympus E-500 image. and $ strace -o libraw.txt nomacs P7212389.ORF libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile new suffix: .jpg *.jpeg) I could save the image... Resulting jpg file OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Whiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => lewyssmith
Validating under the current temporary policy (1 OK good) thanks to Herman's test. In fact not many testers will have RAW images available to them.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0223.html
Status: NEW => RESOLVEDResolution: (none) => FIXED