+++ This bug was initially created as a clone of Bug #21716 +++ Fedora has issued an advisory today (September 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVI7PQ5NTNFOL4EQTLNZOPGCDLKJKXST/ The issues are fixed upstream in 0.18.4: https://www.libraw.org/news/libraw-0-18-4 It looks like other things that embed this code are also affected, like we've seen in the past. Fedora lists dcraw, libkdcraw, and rawtherapee as examples, and has issued an advisory for rawtherapee: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMHXYQOFX5OQSBWNNMCVGJLYXTZHXYTM/
Whiteboard: (none) => MGA6TOO, MGA5TOOSource RPM: libraw-0.18.2-1.mga6.src.rpm => dcraw-9.27.0-1.mga6.src.rpm
Assigning to the registered maintainer of dcraw
Assignee: bugsquad => shlomif
Summary: dcraw new security issues CVE-2017-13735 and CVE-2017-14265 => dcraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348
Nobody has patches for this yet, so we won't be able to fix this for Mageia 5.
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO
Status comment: (none) => Not fixed upstream as of end of 2017
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=23252
See Also: https://bugs.mageia.org/show_bug.cgi?id=23252 => (none)
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=24107
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
Re-assigning globally due to change to no specific maintainer.
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOOAssignee: shlomif => pkg-bugs
See also bug 24107.
See Also: https://bugs.mageia.org/show_bug.cgi?id=24107 => (none)Depends on: (none) => 24107
Nicolas Salguero added patches for CVE-2017-13735 and CVE-2017-14608 in dcraw-9.28.0-4.mga8 in Cauldron.
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
just for the record: https://security-tracker.debian.org/tracker/CVE-2017-13735 with fix: https://github.com/LibRaw/LibRaw/files/1276421/radc_divbyzero.txt https://security-tracker.debian.org/tracker/CVE-2017-14265 with fix: https://github.com/LibRaw/LibRaw/commit/82616eff4c7f7437e96bdeeed238c3ef3dc12d60 https://security-tracker.debian.org/tracker/CVE-2017-14348 with fix: https://github.com/LibRaw/LibRaw/commit/8303e74b0567806dd5f16fc39aab70fe928de1a2
CC: (none) => mageia
Status comment: Not fixed upstream as of end of 2017 => Patches available from upstream
rawtherapee pushed in mga7 to fix CVE-2017-13735 src: rawtherapee-5.6-1.1.mga7
Status comment: Patches available from upstream => Not fixed upstream as of end of 2017
(In reply to Nicolas Lécureuil from comment #7) > rawtherapee pushed in mga7 to fix CVE-2017-13735 > > src: > rawtherapee-5.6-1.1.mga7 Thanks, this update is in Bug 27963.
Removing CVE-2017-14348 due to this: https://bugzilla.redhat.com/show_bug.cgi?id=1492123#c9 Otherwise it looks like we fixed all fixable issues in Bug 26406. *** This bug has been marked as a duplicate of bug 26406 ***
Resolution: (none) => DUPLICATEStatus: NEW => RESOLVED