Fedora has issued an advisory on February 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/B2PPQE4XNFYLZ3D72RAUVE6Z227YZ7BH/ The libraw download page: https://www.libraw.org/download shows this Changelog for 0.18.8: Secunia #81000: Credit: Laurent Delosieres, Secunia Research at Flexera leaf_hdr_load_raw: check for image pointer for demosaiced raw NOKIARAW parser: check image dimensions readed from file quicktake_100_load_raw: check width/height limits We should update this for Mageia 6 as well.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing ns80, who pushed libraw security updates recently.
Assignee: bugsquad => pkg-bugsCC: (none) => caulier.gilles, marja11, nicolas.salguero
I have updated cauldron. But MGA6 is also affected, working on it.
CC: (none) => lists.jjorgeStatus: NEW => ASSIGNED
Suggested advisory : Minor security fixes have been done in libraw version 0.18.8 checking limits are not enforced. Ref: https://www.libraw.org/news/libraw-0-18-8 RPMS : libraw-tools-0.18.8-1.mga7.i586.rpm libraw16-0.18.8-1.mga7.i586.rpm libraw_r16-0.18.8-1.mga7.i586.rpm libraw-devel-0.18.8-1.mga7.i586.rpm libraw-tools-0.18.8-1.mga7.x86_64.rpm lib64raw16-0.18.8-1.mga7.x86_64.rpm lib64raw_r16-0.18.8-1.mga7.x86_64.rpm lib64raw-devel-0.18.8-1.mga7.x86_64.rpm SRPM: libraw-0.18.8-1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Component: RPM Packages => SecurityQA Contact: (none) => security
Advisory uploaded with mga6 srpm. Can be tested with raw image files and any of below.. $ urpmq --whatrequires lib64raw16 | grep -v lib64 efl fotoxx gthumb krita libraw-tools nomacs photoqt shotwell siril $ urpmf --media Testing libraw-tools | grep bin libraw-tools:/usr/bin/4channels libraw-tools:/usr/bin/dcraw_emu libraw-tools:/usr/bin/dcraw_half libraw-tools:/usr/bin/half_mt libraw-tools:/usr/bin/mem_image libraw-tools:/usr/bin/multirender_test libraw-tools:/usr/bin/postprocessing_benchmark libraw-tools:/usr/bin/raw-identify libraw-tools:/usr/bin/simple_dcraw libraw-tools:/usr/bin/unprocessed_raw
Source RPM: libraw-0.18.6-1.mga7.src.rpm => libraw-0.18.8-1.mga6.src.rpmKeywords: (none) => advisory, has_procedure
Testing this on Mageia 6 for x86_64
CC: (none) => tarazed25
MGA6-32 on Dell Latitude D600 Mate No installation issues Exercised mem_image, multirender_test, raw-identify on ORF (Olympus Raw Format) , expected outputs on CLI and generated files all OK.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
shotwell functions worked on a Kodak RAW image and displayed it in natural colour. With nomacs it came up as a greenscale image which could be changed to greyscale. shotwell detected 6 ORF images inside the RAW file so it looked like nomacs simply picked the first one. Image manipulations worked in nomacs. Used nomacs to view various raw formats from Canon, Kodak, Nikon and Olympus cameras, 35 images in total. They all displayed properly. Tried out some of the libraw tools. $ 4channels RAW_NIKON_D1.NEF Processing file RAW_NIKON_D1.NEF Black level (unscaled)=0 Writing file RAW_NIKON_D1.NEF.R.tiff Writing file RAW_NIKON_D1.NEF.G.tiff Writing file RAW_NIKON_D1.NEF.B.tiff Writing file RAW_NIKON_D1.NEF.G2.tiff The TIFF files could not be displayed using nomacs or shotwell. Not obvious from the help that this would happen. The '-s N' option failed for all values of N. $ 4channels -s 2 RAW_NIKON_D1.NEF Processing file RAW_NIKON_D1.NEF Cannot unpack RAW_NIKON_D1.NEF: Request for nonexisting image number This looks like a change of functionality rather than a regression. $ multirender_test RAW_NIKON_D1.NEF Processing file RAW_NIKON_D1.NEF Writing file RAW_NIKON_D1.NEF.1.ppm Writing file RAW_NIKON_D1.NEF.2.ppm Writing file RAW_NIKON_D1.NEF.3.ppm Writing file RAW_NIKON_D1.NEF.4.ppm Writing file RAW_NIKON_D1.NEF.5.ppm Writing file RAW_NIKON_D1.NEF.6.ppm Writing file RAW_NIKON_D1.NEF.7.ppm Writing file RAW_NIKON_D1.NEF.8.ppm All the ppm files could be displayed using ImageMagick and the 'next' option. $ display *.ppm Each was a manipulated version of the original image. $ postprocessing_benchmark -R 20 RAW_NIKON_D1.NEF Processing file RAW_NIKON_D1.NEF 15.7 msec for unpack Performance: 9.37 Mpix/sec File: RAW_NIKON_D1.NEF, Frame: 0 2.7 total Mpix, 284.4 msec Params: WB=default Highlight=0 Qual=-1 HalfSize=No Median=0 Wavelet=0 Crop: 0-0:2012x1324, active Mpix: 2.66, 3.5 frames/sec $ raw-identify RAW_FUJI* RAW_FUJI_S5PRO_V106.RAF is a Fujifilm S5Pro image. RAW_FUJI_S6500FD.RAF is a Fujifilm S6500fd image. RAW_FUJI_X-T10.RAF is a Fujifilm X-T10 image. $ unprocessed_raw RAW_NIKON_D1.NEF Processing file RAW_NIKON_D1.NEF Image size: 2012x1324 Raw size: 2012x1324 Margins: top=0, left=0 Unpacked.... Stored to file RAW_NIKON_D1.NEF.pgm Without gamma correction the resulting file was mostly black with a very faint hint of the actual scene. $ unprocessed_raw -g RAW_NIKON_D1.NEF Processing file RAW_NIKON_D1.NEF Image size: 2012x1324 Raw size: 2012x1324 Margins: top=0, left=0 Unpacked.... Gamma-corrected.... Stored to file RAW_NIKON_D1.NEF.pgm This applied a gamma correction of 2.2, which revealed a greyscale image. The package works leaving aside the lack of proper documentation for some of the libraw tools.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0164.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
0.18.7 fixed CVE-2018-5800 CVE-2018-5801 CVE-2018-5802, aka SA79000. 0.18.8 fixed SA81000 (Secunia Advisory 81000). openSUSE has issued an advisory for this today (March 18): https://lists.opensuse.org/opensuse-updates/2018-03/msg00063.html Upstream commits from the 0.18.x branch: https://github.com/LibRaw/LibRaw/commit/4cb60a6c8f1ec54e51e805d94213f4d49d6118f6 https://github.com/LibRaw/LibRaw/commit/9f26ce37f5be86ea11bfc6831366558650b1f6ff
Source RPM: libraw-0.18.8-1.mga6.src.rpm => libraw-0.18.6-1.mga6.src.rpm
Blocks: (none) => 22800
0.18.8 also fixed CVE-2018-5804, CVE-2018-5805, CVE-2018-5806: https://www.debian.org/lts/security/2022/dla-2903