+++ This bug was initially created as a clone of Bug #21716 +++ Fedora has issued an advisory today (September 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVI7PQ5NTNFOL4EQTLNZOPGCDLKJKXST/ The issues are fixed upstream in 0.18.4: https://www.libraw.org/news/libraw-0-18-4 It looks like other things that embed this code are also affected, like we've seen in the past. Fedora lists dcraw, libkdcraw, and rawtherapee as examples, and has issued an advisory for rawtherapee: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMHXYQOFX5OQSBWNNMCVGJLYXTZHXYTM/
Source RPM: libraw-0.18.2-1.mga6.src.rpm => rawtherapee-5.2-1.mga7.src.rpmWhiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered maintainer.
Assignee: bugsquad => mrambo
Summary: rawtherapee new security issues CVE-2017-13735 and CVE-2017-14265 => rawtherapee new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348
Patched package uploaded for cauldron, Mageia 6 and 5. Advisory: ======================== Patched rawtherapee package fixes security vulnerabilities: It was discovered that rawtherapee had a floating point exception in the kodak_radc_load_raw function in dcraw.cc (CVE-2017-13735). It was discovered that rawtherapee had a Heap-based 1 byte buffer overflow in the processCanonCameraInfo function in dcraw.c (CVE-2017-14348). It was discovered that rawtherapee had a Stack Buffer Overflow in xtrans_interpolate in dcraw.c that could allow a remote denial of service and code execution attack (CVE-2017-14265). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13735 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14265 https://github.com/Beep6581/RawTherapee/issues/4061 https://github.com/Beep6581/RawTherapee/issues/4084 https://github.com/LibRaw/LibRaw/issues/99 ======================== Updated packages in core/updates_testing: ======================== rawtherapee-5.1-1.2.mga6 rawtherapee-4.1-4.2.mga5 from: rawtherapee-5.1-1.2.mga6.src.rpm rawtherapee-4.1-4.2.mga5.src.rpm Testing procedure https://bugs.mageia.org/show_bug.cgi?id=12693#c7
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOKeywords: (none) => has_procedureAssignee: mrambo => qa-bugsVersion: Cauldron => 6
Had a look at this for mga6::x86_64. There are PoCs, which need libraw tools. No package name for 64-bits so installed libraw-tools which supplies the multirender_test program in /bin. Downloaded some of the samples from the link in bug 12693#c7. About to check the PoCs.
CC: (none) => tarazed25
Summary of upstream PoCs CVE-2017-13735 https://bugzilla.redhat.com/show_bug.cgi?id=1483988 Expected output: $ multirender_test POC1 Processing file POC1 Floating point exception CVE-2017-14348 https://github.com/LibRaw/LibRaw/issues/100 ASAN testing $ raw-identify libraw-0.18.3-heap-buffer-overflow-processCanonCameraInfo.cr2 Aborting CVE-2017-14265 ASAN testing $ simple_dcraw crash-xtrans_interpolate-stack-overflow Aborting ---------------------------------------------------------------------------- Before update: $ multirender_test POC1 Processing file POC1 Floating point exception (core dumped) $ raw-identify libraw-0.18.3-heap-buffer-overflow-processCanonCameraInfo.cr2 Cannot decode libraw-0.18.3-heap-buffer-overflow-processCanonCameraInfo.cr2: Unsupported file format or not RAW file $ simple_dcraw crash-xtrans_interpolate-stack-overflow Segmentation fault (core dumped) ---------------------------------------------------------------------------- Installed updated rawtherapee After update: $ multirender_test POC1 Processing file POC1 Floating point exception (core dumped) $ raw-identify libraw-0.18.3-heap-buffer-overflow-processCanonCameraInfo.cr2 Cannot decode libraw-0.18.3-heap-buffer-overflow-processCanonCameraInfo.cr2: Unsupported file format or not RAW file $ simple_dcraw crash-xtrans_interpolate-stack-overflow $ The core dump for the first test is disappointing but the other two look OK. ---------------------------------------------------------------------------- Launched rawtherapee in the RAW images directory. The whole set of images was displayed. Used some of the controls to color-tag and rank images, cropped an image, used flip, flop and rotate. Opened images with a double-click and saved a couple of images in png and jpeg formats. Those displayed fine. Giving this an OK.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Forgot the link for CVE-2017-14265 https://github.com/LibRaw/LibRaw/issues/99
MGA5-32 on Asus A6000VM Xfce No installation issues. Played around with lighting parameters of raw images, and save the result. All looks OK
CC: (none) => herman.viaeneWhiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-32-OK
MGA6-32 on Asus A6000VM MATENo installation issues. Played around with lighting parameters of raw images, and save the result. This laptop is too slow to do much more.All looks OK
Whiteboard: MGA5TOO MGA6-64-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA5-32-OK MGA6-32-OK
Advisory from comments 2 & 0. Validating, 3/4 confirmations.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0359.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED