+++ This bug was initially created as a clone of Bug #21716 +++ Fedora has issued an advisory today (September 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVI7PQ5NTNFOL4EQTLNZOPGCDLKJKXST/ The issues are fixed upstream in 0.18.4: https://www.libraw.org/news/libraw-0-18-4 It looks like other things that embed this code are also affected, like we've seen in the past. Fedora lists dcraw, libkdcraw, and rawtherapee as examples, and has issued an advisory for rawtherapee: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMHXYQOFX5OQSBWNNMCVGJLYXTZHXYTM/
Source RPM: libraw-0.18.2-1.mga6.src.rpm => libkdcraw-17.08.0-3.mga7.src.rpmAssignee: bugsquad => kdeWhiteboard: (none) => MGA6TOO, MGA5TOO
Summary: libkdcraw new security issues CVE-2017-13735 and CVE-2017-14265 => libkdcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348
I haven't any updates or patches for this, so too late for Mageia 5.
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO
Status comment: (none) => Not fixed upstream as of end of 2017
libraw 0.18.7 fixed CVE-2018-5801: https://bugzilla.redhat.com/show_bug.cgi?id=1553334 libkdcraw may also be affected.
RedHat has issued an advisory on October 30: https://access.redhat.com/errata/RHSA-2018:3065 It fixes the issue mentioned in Comment 2 and several others.
Summary: libkdcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348 => libkdcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348, CVE-2018-580[0-2,5-6]
There's also CVE-2018-1956[5-8] in dcraw: https://www.openwall.com/lists/oss-security/2018/11/27/1
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOOCC: (none) => mageia
we are not affected in libkdcraw
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE-2017-13735 was never addressed: https://bugzilla.redhat.com/show_bug.cgi?id=1488931 CVE-2018-580[0-2,5-6] certainly affect libkdcraw and we never fixed them: https://access.redhat.com/errata/RHSA-2018:3065
Resolution: FIXED => (none)Status: RESOLVED => REOPENED
CVE-2017-13735 is not valid on mga7 ,fixed in 0-18-3
(In reply to Nicolas Lécureuil from comment #7) > CVE-2017-13735 is not valid on mga7 ,fixed in 0-18-3 This bug is for libkdcraw though. Did it get fixed in that too?
need to be checked on mga7 still
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Please provide information about how/when/where Cauldron was fixed when changing bugs' version assignment.
Version: 7 => CauldronWhiteboard: (none) => MGA7TOO
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
libkdcraw is built against the system libraw as of Mageia 7.
Status: REOPENED => RESOLVEDWhiteboard: MGA8TOO, MGA7TOO => (none)Version: Cauldron => 7Resolution: (none) => FIXED