Bug 22800 - libraw security fixes upstream in 0.18.13 (including CVE-2018-1052[89], CVE-2018-5807, CVE-2018-581[0-3,56])
Summary: libraw security fixes upstream in 0.18.13 (including CVE-2018-1052[89], CVE-2...
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on: 22695 22956
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-18 23:17 CET by David Walser
Modified: 2018-10-06 12:53 CEST (History)
1 user (show)

See Also:
Source RPM: libraw-0.16.2-1.5.mga5.src.rpm
CVE:
Status comment: Patches available from openSUSE, Ubuntu, and upstream

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-03-18 23:17:12 CET 
+++ This bug was initially created as a clone of Bug #22695 +++

Fedora has issued an advisory on February 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/B2PPQE4XNFYLZ3D72RAUVE6Z227YZ7BH/

0.18.7 fixed CVE-2018-5800 CVE-2018-5801 CVE-2018-5802, aka SA79000.

0.18.8 fixed SA81000 (Secunia Advisory 81000).

openSUSE has issued an advisory for this today (March 18):
https://lists.opensuse.org/opensuse-updates/2018-03/msg00063.html

Upstream commits from the 0.18.x branch:
https://github.com/LibRaw/LibRaw/commit/4cb60a6c8f1ec54e51e805d94213f4d49d6118f6
https://github.com/LibRaw/LibRaw/commit/9f26ce37f5be86ea11bfc6831366558650b1f6ff

We fixed these for Mageia 6 in Bug 22695.

Mageia 5 is also affected.  It'd be nice to at least get fixes in SVN for these.
Comment 1 David Walser 2018-04-03 23:38:29 CEST 
Ubuntu has issued an advisory today (April 3):
https://usn.ubuntu.com/3615-1/

It fixed at least the 0.18.7 issues, as well as CVE-2017-16909, which I don't believe we've fixed yet in Mageia 5.  They fixed 0.17.x and 0.15.x, so we can probably adapt patches for 0.16.x.
Comment 2 David Walser 2018-04-27 16:53:29 CEST 
0.18.9 fixed SA81800 and some buffer and stack overruns:
https://www.libraw.org/download

Summary: libraw minor security fixes upstream in 0.18.8 => libraw minor security fixes upstream in 0.18.9
Depends on: (none) => 22956

Comment 3 David Walser 2018-05-03 18:50:17 CEST 
Two more vulnerabilities were discovered in 0.18.9.

openSUSE has issued an advisory for this today (May 3):
https://lists.opensuse.org/opensuse-updates/2018-05/msg00009.html

Summary: libraw minor security fixes upstream in 0.18.9 => libraw minor security fixes upstream in 0.18.9 (plus CVE-2018-10528 and CVE-2018-10529)

David Walser 2018-05-04 08:39:23 CEST

Status comment: (none) => Patches available from openSUSE, Ubuntu, and upstream

Comment 4 David Walser 2018-05-12 23:38:31 CEST 
The CVEs were fixed in 0.18.10.  0.18.11 fixes SA83050 and other issues:
https://www.libraw.org/download

Summary: libraw minor security fixes upstream in 0.18.9 (plus CVE-2018-10528 and CVE-2018-10529) => libraw security fixes upstream in 0.18.11 (including CVE-2018-10528 and CVE-2018-10529)

Comment 5 David Walser 2018-06-08 22:18:08 CEST 
Ubuntu has issued an advisory for the CVE issues on May 8:
https://usn.ubuntu.com/3639-1/
Comment 6 David Walser 2018-06-15 18:54:14 CEST 
0.18.12 fixes SA83507 and an integer overflow:
https://www.libraw.org/download

Summary: libraw security fixes upstream in 0.18.11 (including CVE-2018-10528 and CVE-2018-10529) => libraw security fixes upstream in 0.18.12 (including CVE-2018-10528 and CVE-2018-10529)

Comment 7 David Walser 2018-07-24 21:44:53 CEST 
0.18.13 fixes two more security issues:
https://www.libraw.org/download

- fixed possible stack overrun while reading zero-sized strings
- fixed possible integer overflow

Fedora has issued an advisory for this today (July 24):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SAILUJLX73GTMC4BTJPFRXMDQIFLWFMV/

Summary: libraw security fixes upstream in 0.18.12 (including CVE-2018-10528 and CVE-2018-10529) => libraw security fixes upstream in 0.18.13 (including CVE-2018-10528 and CVE-2018-10529)

Comment 8 David Walser 2018-08-10 17:15:23 CEST 
0.18.9 fixed CVE-2018-5807 and CVE-2018-581[0-2]:
https://bugzilla.suse.com/show_bug.cgi?id=1103361
https://bugzilla.suse.com/show_bug.cgi?id=1103353
https://bugzilla.suse.com/show_bug.cgi?id=1103359
https://bugzilla.suse.com/show_bug.cgi?id=1103360

0.18.11 fixed CVE-2018-5813:
https://bugzilla.redhat.com/show_bug.cgi?id=1609954

0.18.12 fixed CVE-2018-5815:
https://bugzilla.suse.com/show_bug.cgi?id=1103206

openSUSE has issued an advisory for this today (August 10):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00068.html

Summary: libraw security fixes upstream in 0.18.13 (including CVE-2018-10528 and CVE-2018-10529) => libraw security fixes upstream in 0.18.13 (including CVE-2018-1052[89], CVE-2018-5807, CVE-2018-581[0-3,5])

Comment 9 David Walser 2018-08-14 23:36:10 CEST 
0.18.12 fixed CVE-2018-5816:
https://bugzilla.redhat.com/show_bug.cgi?id=1610156

Summary: libraw security fixes upstream in 0.18.13 (including CVE-2018-1052[89], CVE-2018-5807, CVE-2018-581[0-3,5]) => libraw security fixes upstream in 0.18.13 (including CVE-2018-1052[89], CVE-2018-5807, CVE-2018-581[0-3,56])

Comment 10 Marja Van Waes 2018-10-06 12:53:56 CEST 
The limited support Mga5 continued to have after its official EOL has ended, so closing this bug as OLD.

Resolution: (none) => OLD
Status: NEW => RESOLVED
CC: (none) => marja11
Note You need to log in before you can comment on or make changes to this bug.