Bug 22695 - libraw minor security fixes upstream in 0.18.8
Summary: libraw minor security fixes upstream in 0.18.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks: 22800
  Show dependency treegraph
 
Reported: 2018-03-03 19:31 CET by David Walser
Modified: 2022-02-22 18:45 CET (History)
7 users (show)

See Also:
Source RPM: libraw-0.18.6-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-03-03 19:31:37 CET 
Fedora has issued an advisory on February 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/B2PPQE4XNFYLZ3D72RAUVE6Z227YZ7BH/

The libraw download page:
https://www.libraw.org/download

shows this Changelog for 0.18.8:
Secunia #81000: Credit: Laurent Delosieres, Secunia Research at Flexera
leaf_hdr_load_raw: check for image pointer for demosaiced raw
NOKIARAW parser: check image dimensions readed from file
quicktake_100_load_raw: check width/height limits 

We should update this for Mageia 6 as well.
David Walser 2018-03-03 19:32:04 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-03-03 20:13:48 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing ns80, who pushed libraw security updates recently.

Assignee: bugsquad => pkg-bugs
CC: (none) => caulier.gilles, marja11, nicolas.salguero

Comment 2 José Jorge 2018-03-04 10:15:02 CET 
I have updated cauldron. But MGA6 is also affected, working on it.

CC: (none) => lists.jjorge
Status: NEW => ASSIGNED

Comment 3 José Jorge 2018-03-04 10:24:12 CET 
Suggested advisory :

Minor security fixes have been done in libraw version 0.18.8 checking limits are not enforced.

Ref: https://www.libraw.org/news/libraw-0-18-8

RPMS :
libraw-tools-0.18.8-1.mga7.i586.rpm
libraw16-0.18.8-1.mga7.i586.rpm
libraw_r16-0.18.8-1.mga7.i586.rpm
libraw-devel-0.18.8-1.mga7.i586.rpm

libraw-tools-0.18.8-1.mga7.x86_64.rpm
lib64raw16-0.18.8-1.mga7.x86_64.rpm
lib64raw_r16-0.18.8-1.mga7.x86_64.rpm
lib64raw-devel-0.18.8-1.mga7.x86_64.rpm


SRPM:
libraw-0.18.8-1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs

José Jorge 2018-03-04 10:36:24 CET

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

claire robinson 2018-03-07 17:02:46 CET

Component: RPM Packages => Security
QA Contact: (none) => security

Comment 4 claire robinson 2018-03-07 17:18:37 CET 
Advisory uploaded with mga6 srpm.

Can be tested with raw image files and any of below..

$ urpmq --whatrequires lib64raw16 | grep -v lib64
efl
fotoxx
gthumb
krita
libraw-tools
nomacs
photoqt
shotwell
siril

$ urpmf --media Testing libraw-tools | grep bin
libraw-tools:/usr/bin/4channels
libraw-tools:/usr/bin/dcraw_emu
libraw-tools:/usr/bin/dcraw_half
libraw-tools:/usr/bin/half_mt
libraw-tools:/usr/bin/mem_image
libraw-tools:/usr/bin/multirender_test
libraw-tools:/usr/bin/postprocessing_benchmark
libraw-tools:/usr/bin/raw-identify
libraw-tools:/usr/bin/simple_dcraw
libraw-tools:/usr/bin/unprocessed_raw

Source RPM: libraw-0.18.6-1.mga7.src.rpm => libraw-0.18.8-1.mga6.src.rpm
Keywords: (none) => advisory, has_procedure

Comment 5 Len Lawrence 2018-03-08 13:08:21 CET 
Testing this on Mageia 6 for x86_64

CC: (none) => tarazed25

Comment 6 Herman Viaene 2018-03-08 16:28:36 CET 
MGA6-32 on Dell Latitude D600 Mate
No installation issues
Exercised mem_image, multirender_test, raw-identify on ORF (Olympus Raw Format) , expected outputs on CLI and generated files all OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 7 Len Lawrence 2018-03-08 18:50:05 CET 
shotwell functions worked on a Kodak RAW image and displayed it in natural colour.  With nomacs it came up as a greenscale image which could be changed to greyscale.  shotwell detected 6 ORF images inside the RAW file so it looked like nomacs simply picked the first one.  Image manipulations worked in nomacs.

Used nomacs to view various raw formats from Canon, Kodak, Nikon and Olympus cameras, 35 images in total.  They all displayed properly.

Tried out some of the libraw tools.
$ 4channels RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF
Black level (unscaled)=0
Writing file RAW_NIKON_D1.NEF.R.tiff
Writing file RAW_NIKON_D1.NEF.G.tiff
Writing file RAW_NIKON_D1.NEF.B.tiff
Writing file RAW_NIKON_D1.NEF.G2.tiff

The TIFF files could not be displayed using nomacs or shotwell.
Not obvious from the help that this would happen.  The '-s N' option failed for all values of N.
$ 4channels -s 2 RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF
Cannot unpack RAW_NIKON_D1.NEF: Request for nonexisting image number

This looks like a change of functionality rather than a regression.

$ multirender_test RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF
Writing file RAW_NIKON_D1.NEF.1.ppm
Writing file RAW_NIKON_D1.NEF.2.ppm
Writing file RAW_NIKON_D1.NEF.3.ppm
Writing file RAW_NIKON_D1.NEF.4.ppm
Writing file RAW_NIKON_D1.NEF.5.ppm
Writing file RAW_NIKON_D1.NEF.6.ppm
Writing file RAW_NIKON_D1.NEF.7.ppm
Writing file RAW_NIKON_D1.NEF.8.ppm

All the ppm files could be displayed using ImageMagick and the 'next' option.
$ display *.ppm
Each was a manipulated version of the original image.

$ postprocessing_benchmark -R 20 RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF

15.7 msec for unpack
Performance: 9.37 Mpix/sec
File: RAW_NIKON_D1.NEF, Frame: 0 2.7 total Mpix, 284.4 msec
Params:      WB=default Highlight=0 Qual=-1 HalfSize=No Median=0 Wavelet=0
Crop:        0-0:2012x1324, active Mpix: 2.66, 3.5 frames/sec

$ raw-identify RAW_FUJI*
RAW_FUJI_S5PRO_V106.RAF is a Fujifilm S5Pro image.
RAW_FUJI_S6500FD.RAF is a Fujifilm S6500fd image.
RAW_FUJI_X-T10.RAF is a Fujifilm X-T10 image.

$ unprocessed_raw RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF
Image size: 2012x1324
Raw size: 2012x1324
Margins: top=0, left=0
Unpacked....
Stored to file RAW_NIKON_D1.NEF.pgm

Without gamma correction the resulting file was mostly black with a very faint hint of the actual scene.

$ unprocessed_raw -g RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF
Image size: 2012x1324
Raw size: 2012x1324
Margins: top=0, left=0
Unpacked....
Gamma-corrected....
Stored to file RAW_NIKON_D1.NEF.pgm

This applied a gamma correction of 2.2, which revealed a greyscale image.

The package works leaving aside the lack of proper documentation for some of the libraw tools.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Len Lawrence 2018-03-09 08:53:26 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-03-10 21:48:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0164.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 9 David Walser 2018-03-18 23:14:23 CET 
0.18.7 fixed CVE-2018-5800 CVE-2018-5801 CVE-2018-5802, aka SA79000.

0.18.8 fixed SA81000 (Secunia Advisory 81000).

openSUSE has issued an advisory for this today (March 18):
https://lists.opensuse.org/opensuse-updates/2018-03/msg00063.html

Upstream commits from the 0.18.x branch:
https://github.com/LibRaw/LibRaw/commit/4cb60a6c8f1ec54e51e805d94213f4d49d6118f6
https://github.com/LibRaw/LibRaw/commit/9f26ce37f5be86ea11bfc6831366558650b1f6ff

Source RPM: libraw-0.18.8-1.mga6.src.rpm => libraw-0.18.6-1.mga6.src.rpm

David Walser 2018-03-18 23:17:12 CET

Blocks: (none) => 22800

Comment 10 David Walser 2022-02-22 18:45:09 CET 
0.18.8 also fixed CVE-2018-5804, CVE-2018-5805, CVE-2018-5806:
https://www.debian.org/lts/security/2022/dla-2903
Note You need to log in before you can comment on or make changes to this bug.