Bug 21757 - dcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348
Summary: dcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348
Status: RESOLVED DUPLICATE of bug 26406
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO, MGA7TOO
Keywords:
Depends on: 21716 24107
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-22 17:14 CEST by David Walser
Modified: 2021-01-03 23:37 CET (History)
5 users (show)

See Also:
Source RPM: dcraw-9.27.0-1.mga6.src.rpm
CVE:
Status comment: Patches available from upstream


Attachments

Description David Walser 2017-09-22 17:14:00 CEST
+++ This bug was initially created as a clone of Bug #21716 +++

Fedora has issued an advisory today (September 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVI7PQ5NTNFOL4EQTLNZOPGCDLKJKXST/

The issues are fixed upstream in 0.18.4:
https://www.libraw.org/news/libraw-0-18-4

It looks like other things that embed this code are also affected, like we've seen in the past.  Fedora lists dcraw, libkdcraw, and rawtherapee as examples, and has issued an advisory for rawtherapee:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMHXYQOFX5OQSBWNNMCVGJLYXTZHXYTM/
David Walser 2017-09-22 17:14:14 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO
Source RPM: libraw-0.18.2-1.mga6.src.rpm => dcraw-9.27.0-1.mga6.src.rpm

Comment 1 Marja Van Waes 2017-09-22 19:04:19 CEST
Assigning to the registered maintainer of dcraw

Assignee: bugsquad => shlomif

David Walser 2017-09-25 16:53:48 CEST

Summary: dcraw new security issues CVE-2017-13735 and CVE-2017-14265 => dcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348

Comment 2 David Walser 2017-12-28 22:52:51 CET
Nobody has patches for this yet, so we won't be able to fix this for Mageia 5.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

David Walser 2018-02-02 18:18:37 CET

Status comment: (none) => Not fixed upstream as of end of 2017

David Walser 2018-06-29 19:51:34 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=23252

David Walser 2019-01-02 15:12:32 CET

See Also: https://bugs.mageia.org/show_bug.cgi?id=23252 => (none)

David Walser 2019-01-02 15:13:02 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=24107

David Walser 2019-06-23 19:25:02 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 3 Lewis Smith 2019-11-28 15:56:12 CET
Re-assigning globally due to change to no specific maintainer.

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
Assignee: shlomif => pkg-bugs

Comment 4 Lewis Smith 2019-11-28 16:03:14 CET
See also bug 24107.
David Walser 2020-01-14 18:10:47 CET

See Also: https://bugs.mageia.org/show_bug.cgi?id=24107 => (none)
Depends on: (none) => 24107

Comment 5 David Walser 2020-03-04 22:02:11 CET
Nicolas Salguero added patches for CVE-2017-13735 and CVE-2017-14608 in dcraw-9.28.0-4.mga8 in Cauldron.
David Walser 2020-12-28 17:09:31 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

David Walser 2020-12-28 22:10:22 CET

Status comment: Not fixed upstream as of end of 2017 => Patches available from upstream

Comment 7 Nicolas Lécureuil 2020-12-28 22:38:09 CET
rawtherapee pushed in mga7 to fix CVE-2017-13735

src: 
     rawtherapee-5.6-1.1.mga7

Status comment: Patches available from upstream => Not fixed upstream as of end of 2017

Nicolas Lécureuil 2020-12-28 22:38:42 CET

Status comment: Not fixed upstream as of end of 2017 => Patches available from upstream

Comment 8 David Walser 2020-12-28 23:43:49 CET
(In reply to Nicolas Lécureuil from comment #7)
> rawtherapee pushed in mga7 to fix CVE-2017-13735
> 
> src: 
>      rawtherapee-5.6-1.1.mga7

Thanks, this update is in Bug 27963.
Comment 9 David Walser 2021-01-03 23:37:40 CET
Removing CVE-2017-14348 due to this:
https://bugzilla.redhat.com/show_bug.cgi?id=1492123#c9

Otherwise it looks like we fixed all fixable issues in Bug 26406.

*** This bug has been marked as a duplicate of bug 26406 ***

Resolution: (none) => DUPLICATE
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.