Bug 22243 - libraw new security issue CVE-2017-16910
Summary: libraw new security issue CVE-2017-16910
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32...
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-12-20 00:36 CET by David Walser
Modified: 2022-02-22 18:44 CET (History)
8 users (show)

See Also:
Source RPM: libraw-0.18.5-1.mga6.src.rpm
CVE: CVE-2017-16910
Status comment:


Attachments

Description David Walser 2017-12-20 00:36:00 CET
Fedora has issued an advisory today (December 19):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5CVYH6MZ7FEBYY2TWTMRQKBIK6E2RAHI/

The issue is fixed upstream in 0.18.6.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-12-20 00:36:13 CET

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-12-20 07:24:45 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.


@ Gilles Caulier

Do you want to be CC'ed in such libraw bug reports as this one, too?

It might be better to tell me on IRC (I'm marja or marja11 there), because I read less than 1/5th of the bugzilla mails that I receive because I'm CC'ed in them

Assignee: bugsquad => pkg-bugs
CC: (none) => caulier.gilles, mageia, marja11

Comment 2 Nicolas Salguero 2017-12-20 09:57:24 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Invalid read memory access in the LibRaw::xtrans_interpolate() function. (CVE-2017-16910)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16910
========================

Updated packages in 5/core/updates_testing:
========================
libraw-tools-0.16.2-1.5.mga5
lib(64)raw10-0.16.2-1.5.mga5
lib(64)raw_r10-0.16.2-1.5.mga5
lib(64)raw-devel-0.16.2-1.5.mga5

from SRPMS:
libraw-0.16.2-1.5.mga5.src.rpm

Updated packages in 6/core/updates_testing:
========================
libraw-tools-0.18.6-1.mga6
lib(64)raw16-0.18.6-1.mga6
lib(64)raw_r16-0.18.6-1.mga6
lib(64)raw-devel-0.18.6-1.mga6

from SRPMS:
libraw-0.18.6-1.mga6.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2017-16910
Version: Cauldron => 6

Comment 3 Gilles Caulier 2017-12-20 10:16:48 CET
Yes, i'm interested to receive the security issue with libraw as for technical details, digiKam core include last libraw C code internally. I updated the code few days ago especially for this security problem. I'm in contact with libraw team. 

Note : digiKam 5.8.0 will be released in few days.

Gilles Caulier
Comment 4 Len Lawrence 2017-12-20 23:49:40 CET
Starting tests of this on Mageia5::x86_64.

Installed the updates.
Was able to identify some of the tools in /usr/bin:
raw-identify*
rawtopgm*
rawtoppm*
and possibly pnmnoraw.
$ ls -l pnmnoraw
lrwxrwxrwx 1 root root 13 Feb 10  2017 pnmnoraw -> pnmtoplainpnm*

Moved to a directory of camera images.
$ raw-identify RAW_NIKON_D3.NEF
RAW_NIKON_D3.NEF is a Nikon D3 image.
$ raw-identify RAW_OLYMPUS_SP350.ORF
RAW_OLYMPUS_SP350.ORF is a Olympus SP350 image.

Somewhat redundant with file names like these.

$ file RAW_OLYMPUS_SP350.ORF
RAW_OLYMPUS_SP350.ORF: Olympus ORF raw image data, little-endian

Continuing this tomorrow.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2017-12-21 11:58:33 CET
The problem with raw camera images and the utilities is that you need to know the image dimensions beforehand and also just where the actual image data starts in the file.

No more time today to follow up on this.
Comment 6 Herman Viaene 2017-12-21 15:47:15 CET
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Testing along my lines in bug 21716, at CLI:
$ raw-identify P7212390.ORF 
P7212390.ORF is a Olympus E-500 image.
$ mem_image P7212390.ORF 
Processing P7212390.ORF
produces a file P7212390.ORF.ppm which looks OK in ristretto (BTW no help or man page for this command)
$ multirender_test P7212390.ORF 
Processing file P7212390.ORF
Writing file P7212390.ORF.1.ppm
Writing file P7212390.ORF.2.ppm
Writing file P7212390.ORF.3.ppm
Writing file P7212390.ORF.4.ppm
Writing file P7212390.ORF.5.ppm
Writing file P7212390.ORF.6.ppm
Writing file P7212390.ORF.7.ppm
Writing file P7212390.ORF.8.ppm
These files are all perfectly viewable, but have different resolution from the original, and so;e of them are flipped left-right or upside-down,
]$ nomacs P7212390.ORF
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
opens picture in smaller resolution 1600x1200, but looks OK
Good enough for me.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 7 Len Lawrence 2017-12-22 01:57:42 CET
Comment 5 continuing...
Thanks for the back-link to previous tests Herman - had totally forgotten those.
Taking your lead on nomacs (again):

$ nomacs RAW_NIKON_D7000.NEF
[INFO] Hi there
[WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkViewPortInterface*, bool) to nmc::DkControlWidget::setPluginWidget(DkViewPortInterface*, bool)
[WARNING] QObject::connect: Cannot connect (null)::applyPluginChanges(bool) to nmc::DkControlWidget::applyPluginChanges(bool)
[WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkPluginContainer*, const QString&) to nmc::DkViewPort::applyPlugin(DkPluginContainer*, const QString&)
[INFO] CSS loaded from:  ":/nomacs/stylesheet.css"
[INFO] local client created in:  49 ms
[INFO] LAN client created in:  0 ms
[INFO] Initialization takes:  203 ms
.......

Image displayed with a note of dimensions.  Browse function worked fine.

$ multirender_test RAW_OLYMPUS_SP350.ORF
Processing file RAW_OLYMPUS_SP350.ORF
Writing file RAW_OLYMPUS_SP350.ORF.1.ppm
Writing file RAW_OLYMPUS_SP350.ORF.2.ppm
Writing file RAW_OLYMPUS_SP350.ORF.3.ppm
Writing file RAW_OLYMPUS_SP350.ORF.4.ppm
Writing file RAW_OLYMPUS_SP350.ORF.5.ppm
Writing file RAW_OLYMPUS_SP350.ORF.6.ppm
Writing file RAW_OLYMPUS_SP350.ORF.7.ppm
Writing file RAW_OLYMPUS_SP350.ORF.8.ppm
$ display RAW_OLYMPUS_SP350.ORF.*.ppm
As Herman noted the separate images were reduced and occasionally inverted.

$ mem_image RAW_CANON_5D_ARGB.CR2
Processing RAW_CANON_5D_ARGB.CR2
$ ls RAW_CANON_5D_ARGB.CR2*
RAW_CANON_5D_ARGB.CR2  RAW_CANON_5D_ARGB.CR2.ppm
The ppm file displayed fine.

This is good for mga6 on x86_64.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK

Comment 8 Len Lawrence 2017-12-22 01:59:12 CET
Comment 5 continuing...
Thanks for the back-link to previous tests Herman - had totally forgotten those.
Taking your lead on nomacs (again):

$ nomacs RAW_NIKON_D7000.NEF
[INFO] Hi there
[WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkViewPortInterface*, bool) to nmc::DkControlWidget::setPluginWidget(DkViewPortInterface*, bool)
[WARNING] QObject::connect: Cannot connect (null)::applyPluginChanges(bool) to nmc::DkControlWidget::applyPluginChanges(bool)
[WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkPluginContainer*, const QString&) to nmc::DkViewPort::applyPlugin(DkPluginContainer*, const QString&)
[INFO] CSS loaded from:  ":/nomacs/stylesheet.css"
[INFO] local client created in:  49 ms
[INFO] LAN client created in:  0 ms
[INFO] Initialization takes:  203 ms
.......

Image displayed with a note of dimensions.  Browse function worked fine.

$ multirender_test RAW_OLYMPUS_SP350.ORF
Processing file RAW_OLYMPUS_SP350.ORF
Writing file RAW_OLYMPUS_SP350.ORF.1.ppm
Writing file RAW_OLYMPUS_SP350.ORF.2.ppm
Writing file RAW_OLYMPUS_SP350.ORF.3.ppm
Writing file RAW_OLYMPUS_SP350.ORF.4.ppm
Writing file RAW_OLYMPUS_SP350.ORF.5.ppm
Writing file RAW_OLYMPUS_SP350.ORF.6.ppm
Writing file RAW_OLYMPUS_SP350.ORF.7.ppm
Writing file RAW_OLYMPUS_SP350.ORF.8.ppm
$ display RAW_OLYMPUS_SP350.ORF.*.ppm
As Herman noted the separate images were reduced and occasionally inverted.

$ mem_image RAW_CANON_5D_ARGB.CR2
Processing RAW_CANON_5D_ARGB.CR2
$ ls RAW_CANON_5D_ARGB.CR2*
RAW_CANON_5D_ARGB.CR2  RAW_CANON_5D_ARGB.CR2.ppm
The ppm file displayed fine.

This is good for mga6 on x86_64.
Comment 9 Len Lawrence 2017-12-22 02:01:22 CET
Something peculiar going on here - mid-air collision with myself.
Comment 10 Lewis Smith 2017-12-23 22:12:44 CET
Prior to testing M5/64:
 lib64raw10-0.16.2-1.5.mga5
 lib64raw_r10-0.16.2-1.5.mga5
 libraw-tools-0.16.2-1.5.mga5

The tools pkg includes:
4channels  ?      
Usage: 4channels [-s N] [-g] [-A] [-B] [-N] raw-files....

dcraw_emu: almost complete dcraw emulator
Usage:  dcraw_emu [OPTION]... [FILE]...

mem_image: to illustrate work for memory buffers. Emulates dcraw
options [-4] [-1] [-e] [-h]

multirender_test: Performs 4 different renderings of one file
Usage: multirender_test raw-files....

postprocessing benchmark: Measures postprocessing speed with different options
Usage: postprocessing_benchmark [-a] [-H N] [-q N] [-h] [-m N] [-n N] [-s N] [-B x y w h] [-R N]

raw-identify ?

simple_dcraw: Emulates dcraw
Usage: simple_dcraw [-D] [-T] [-v] [-e] raw-files....

unprocessed_raw ?
Usage: unprocessed_raw [-q] [-A] [-g] [-s N] raw-files....

'nomacs' is its own independant package, requiring lib64raw10 :
... a free image viewer small, fast and able to handle the most common image formats including RAW images.

lib64raw_r10 is required by: entangle, luminance-hdr; both graphical programs (+ recursively more familiar things like digikam, gwenview, krita, showfoto).

Just downloaded a huge RAW (I hope) image to play with tomorrow.

CC: (none) => lewyssmith

Comment 11 Herman Viaene 2017-12-24 10:33:12 CET
MGA6-32 on Dell Latitude D600
No installation issues
Repeated tests as in Comments 6 above and got the sqme results, except for:
$ nomacs P7212390.ORF
nomacs: relocation error: /lib/libQt5Widgets.so.5: symbol _ZTV13QInputControl, version Qt_5_PRIVATE_API not defined in file libQt5Gui.so.5 with link time reference
Googling with this error convinces me this is a Qt issue, nothing to do with libraw, so I can pass.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK

Comment 12 Lewis Smith 2017-12-24 11:56:25 CET
Testing M5/64 (after update, see comment 10)

Source image:
-rw-rw-r-- 1 lewis lewis  86107103 Rha  24 10:46 Credo-Barcelona_0320.IIQ

 $ simple_dcraw Credo-Barcelona_0320.IIQ
with strace, took a long time, produced default PPM outupt:
 open("/lib64/libraw.so.10", O_RDONLY|O_CLOEXEC) = 3
 -rw-rw-r-- 1 lewis lewis 240435858 Rha  24 10:49 Credo-Barcelona_0320.IIQ.ppm
'display' showed a tiny part of the .ppm image, but it could be panned & scaled down to show OK.

 $ strace simple_dcraw -T Credo-Barcelona_0320.IIQ 2>&1 | grep libraw
open("/lib64/libraw.so.10", O_RDONLY|O_CLOEXEC) = 3
-rw-rw-r-- 1 lewis lewis 240437692 Rha  24 10:59 Credo-Barcelona_0320.IIQ.tiff
 $ display Credo-Barcelona_0320.IIQ.tiffdisplay: ASCII value for tag "ImageDescription" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/896.
and a lot more similar errors. But the result showed OK.

 $ multirender_test Credo-Barcelona_0320.IIQ 
Processing file Credo-Barcelona_0320.IIQ
Writing file Credo-Barcelona_0320.IIQ.1.ppm
Writing file Credo-Barcelona_0320.IIQ.2.ppm
Writing file Credo-Barcelona_0320.IIQ.3.ppm
Writing file Credo-Barcelona_0320.IIQ.4.ppm
Writing file Credo-Barcelona_0320.IIQ.5.ppm
Writing file Credo-Barcelona_0320.IIQ.6.ppm
Writing file Credo-Barcelona_0320.IIQ.7.ppm
Writing file Credo-Barcelona_0320.IIQ.8.ppm
$ ls -l
-rw-rw-r-- 1 lewis lewis 240435858 Rha  24 11:10 Credo-Barcelona_0320.IIQ.1.ppm
Pale green background, full-size = huge image.
-rw-rw-r-- 1 lewis lewis  60108977 Rha  24 11:10 Credo-Barcelona_0320.IIQ.2.ppm
Smaller image, greyish background.
-rw-rw-r-- 1 lewis lewis  60108977 Rha  24 11:10 Credo-Barcelona_0320.IIQ.3.ppm
Bluish background.
-rw-rw-r-- 1 lewis lewis  60108977 Rha  24 11:10 Credo-Barcelona_0320.IIQ.4.ppm
Bluish background, rotated 90 anti-clocwise.
-rw-rw-r-- 1 lewis lewis  60108977 Rha  24 11:10 Credo-Barcelona_0320.IIQ.5.ppm
Greyish background, rotated 90 anti-clocwise.
-rw-rw-r-Neutral BG, - 1 lewis lewis  60108977 Rha  24 11:10 Credo-Barcelona_0320.IIQ.6.ppm
Neutral BG, rotated 90 anti-clocwise.
-rw-rw-r-- 1 lewis lewis  60108977 Rha  24 11:11 Credo-Barcelona_0320.IIQ.7.ppm
Bluish BG.
-rw-rw-r-- 1 lewis lewis 240435858 Rha  24 11:12 Credo-Barcelona_0320.IIQ.8.ppm
Same as 1.
---------
For the other library lib64raw_r10-0.16.2-1.5.mga5, the 2 programs are not within my capabilities to try:
 Entangle provides a graphical interface for "tethered shooting", aka taking
photographs with a digital camera completely controlled from the computer.
 Luminance is a graphical program for assembling bracketed photos into High
Dynamic Range (HDR) images.

OKing, & validating the update, advisory to do.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK MGA5-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2017-12-24 15:35:05 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0468.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 14 David Walser 2022-02-22 18:44:30 CET
0.18.6 also fixed CVE-2017-16909:
https://www.debian.org/lts/security/2022/dla-2903

Note You need to log in before you can comment on or make changes to this bug.