I have pushed libraw 0.18.9 to updates testing. Suggested advisory : Minor security fixes have been done in libraw version 0.18.9. Ref: https://www.libraw.org/news/libraw-0-18-9 SRPM: libraw-0.18.9-1.mga6.srpm RPMS : libraw-tools-0.18.9-1.mga6.i586.rpm libraw16-0.18.9-1.mga6.i586.rpm libraw_r16-0.18.9-1.mga6.i586.rpm libraw-devel-0.18.9-1.mga6.i586.rpm
CC: (none) => lists.jjorge
Blocks: (none) => 22800
0.18.9 fixed SA81800 and some buffer and stack overruns: https://www.libraw.org/download
QA Contact: (none) => securityComponent: RPM Packages => SecuritySource RPM: libraw => libraw-0.18.8-1.mga6.src.rpm
Mageia 6, x86_64. libraw packages already installed. Clean update, ignoring the rpm signature problems. Running virtually the same tests as for bug 22695 on the same collection of RAW images. $ 4channels RAW_NIKON_D1.NEF Writing file RAW_NIKON_D1.NEF.R.tiff Writing file RAW_NIKON_D1.NEF.G.tiff Writing file RAW_NIKON_D1.NEF.B.tiff Writing file RAW_NIKON_D1.NEF.G2.tiff These display as black frames. $ multirender_test RAW_NIKON_D1.NEF Processing file RAW_NIKON_D1.NEF Writing file RAW_NIKON_D1.NEF.1.ppm Writing file RAW_NIKON_D1.NEF.2.ppm Writing file RAW_NIKON_D1.NEF.3.ppm Writing file RAW_NIKON_D1.NEF.4.ppm Writing file RAW_NIKON_D1.NEF.5.ppm Writing file RAW_NIKON_D1.NEF.6.ppm Writing file RAW_NIKON_D1.NEF.7.ppm Writing file RAW_NIKON_D1.NEF.8.ppm <That worked better> $ display RAW_NIKON_D1.NEF.1.ppm <This showed an image very similar to the original file (using nomacs)> $ postprocessing_benchmark -R 20 RAW_NIKON_D1.NEF Processing file RAW_NIKON_D1.NEF 19.8 msec for unpack Performance: 8.40 Mpix/sec File: RAW_NIKON_D1.NEF, Frame: 0 2.7 total Mpix, 317.1 msec Params: WB=default Highlight=0 Qual=-1 HalfSize=No Median=0 Wavelet=0 Crop: 0-0:2012x1324, active Mpix: 2.66, 3.2 frames/sec $ raw-identify RAW_FUJI* RAW_FUJI_S5PRO_V106.RAF is a Fujifilm S5Pro image. RAW_FUJI_S6500FD.RAF is a Fujifilm S6500fd image. RAW_FUJI_X-T10.RAF is a Fujifilm X-T10 image. $ unprocessed_raw RAW_NIKON_D1.NEF Processing file RAW_NIKON_D1.NEF Image size: 2012x1324 Raw size: 2012x1324 Margins: top=0, left=0 Unpacked.... Stored to file RAW_NIKON_D1.NEF.pgm $ display RAW_NIKON_D1.NEF.pgm <Showed a black frame> $ unprocessed_raw -g RAW_NIKON_D1.NEF Processing file RAW_NIKON_D1.NEF Image size: 2012x1324 Raw size: 2012x1324 Margins: top=0, left=0 Unpacked.... Gamma-corrected.... Stored to file RAW_NIKON_D1.NEF.pgm $ display RAW_NIKON_D1.NEF.pgm <Image displayed in dark greyscale tones> There are probably other tests that could be used but these show no regression with respect to previous tests. We can pass this.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Don't ignore signature problems.
CC: (none) => luigiwalser
Re comment 3. What is the correct procedure when the signing fails? Just report that? There was a note on the mailing lists that this is the time of year when certificates are renewed so we should expect more of this kind of thing?
Someone mentioned yesterday that it could also be a disk space issue causing it. Either way, just feedback any affected bugs until the sysadmins fix the build system and rebuild the affected packages.
Re the previous 4 comments, esp c5, feedbacking this. Thanks for tests, Len. Will do the advisory now.
Keywords: (none) => advisory, feedback
The following package has bad signature: /var/cache/urpmi/rpms/lib64raw16-0.18.9-1.mga6.x86_64.rpm: Missing signature (OK ((none))) The unsigned package must be rebuilt, and then the tests repeated. Removing the advisory and OK whiteboard entries, as the srpm will have to be updated in the advisory, and the new package re-tested, once the package has been rebuilt.
CC: (none) => davidwhodginsWhiteboard: MGA6-64-OK => (none)Keywords: advisory => (none)
(In reply to Dave Hodgins from comment #7) > The unsigned package must be rebuilt, and then the tests repeated. Version 0.18.9-2 pushed. I'd say only the signature needs a test, as nothing else changed.
Keywords: feedback => (none)
Two more vulnerabilities were discovered in 0.18.9. openSUSE has issued an advisory for this today (May 3): https://lists.opensuse.org/opensuse-updates/2018-05/msg00009.html
Summary: libraw minor security fixes upstream in 0.18.9 => libraw minor security fixes upstream in 0.18.9 (plus CVE-2018-10528 and CVE-2018-10529)Keywords: (none) => feedback
I have pushed libraw 0.18.10 to updates testing. So the advisory get longer.
Indeed the CVEs were fixed in 0.18.10. 0.18.11 fixes SA83050 and other issues: https://www.libraw.org/download
Summary: libraw minor security fixes upstream in 0.18.9 (plus CVE-2018-10528 and CVE-2018-10529) => libraw security fixes upstream in 0.18.11 (including CVE-2018-10528 and CVE-2018-10529)
Lets hope it is the last one : I have pushed libraw 0.18.11 to updates testing. Suggested advisory : Several security fixes have been done in libraw version 0.18.9, then 0.18.10 and finally 0.18.11. Ref: https://www.libraw.org/news/libraw-0-18-11 SRPM: libraw-0.18.11-1.mga6.srpm RPMS : libraw-tools-0.18.11-1.mga6.i586.rpm libraw16-0.18.11-1.mga6.i586.rpm libraw_r16-0.18.11-1.mga6.i586.rpm libraw-devel-0.18.11-1.mga6.i586.rpm
Shall look at this for mga6 later this afternoon.
Mageia 6, x86_64 It is not clear how to exercize all of the tools but some are fairly easy to use. Usage information is printed if a command is invoked without arguments. Repeating the earlier tests after updating. $ raw-identify RAW_NIKON_D1.NEF RAW_NIKON_D1.NEF is a Nikon D1 image. This can be displayed with nomacs or shotwell. $ shotwell RAW_NIKON_D1.NEF ORF IMAGE ORF IMAGE ORF IMAGE ORF IMAGE ORF IMAGE invalid type value detected in Image::printIFDStructure: 0 It displays OK though. Extract individual frames from a composite image. $ 4channels RAW_NIKON_D1.NEF Processing file RAW_NIKON_D1.NEF Black level (unscaled)=0 Writing file RAW_NIKON_D1.NEF.R.tiff Writing file RAW_NIKON_D1.NEF.G.tiff Writing file RAW_NIKON_D1.NEF.B.tiff Writing file RAW_NIKON_D1.NEF.G2.tiff $ nomacs RAW_NIKON_D1.NEF.G.tiff Shows a black panel but under 'Adjustments' select 'auto-adjust' or 'normalize' to enhance the image. $ multirender_test 'KODAK C603 C643 Format 420 CCDI0001.RAW' Processing file KODAK C603 C643 Format 420 CCDI0001.RAW Writing file KODAK C603 C643 Format 420 CCDI0001.RAW.1.ppm Writing file KODAK C603 C643 Format 420 CCDI0001.RAW.2.ppm Writing file KODAK C603 C643 Format 420 CCDI0001.RAW.3.ppm Writing file KODAK C603 C643 Format 420 CCDI0001.RAW.4.ppm Writing file KODAK C603 C643 Format 420 CCDI0001.RAW.5.ppm Writing file KODAK C603 C643 Format 420 CCDI0001.RAW.6.ppm Writing file KODAK C603 C643 Format 420 CCDI0001.RAW.7.ppm Writing file KODAK C603 C643 Format 420 CCDI0001.RAW.8.ppm The individual PPM files can be viewed with nomacs. $ unprocessed_raw -g 'KODAK C603 C643 Format 420 CCDI0001.RAW' Processing file KODAK C603 C643 Format 420 CCDI0001.RAW Image size: 2864x2152 Raw size: 2864x2152 Margins: top=0, left=0 Unpacked.... Gamma-corrected.... Stored to file KODAK C603 C643 Format 420 CCDI0001.RAW.pgm $ nomacs 'KODAK C603 C643 Format 420 CCDI0001.RAW.pgm' [INFO] Hi there [WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkViewPortInterface*, bool) to nmc::DkControlWidget::setPluginWidget(DkViewPortInterface*, bool) [WARNING] QObject::connect: Cannot connect (null)::applyPluginChanges(bool) to nmc::DkControlWidget::applyPluginChanges(bool) [WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkPluginContainer*, const QString&) to nmc::DkViewPort::applyPlugin(DkPluginContainer*, const QString&) [INFO] local client created in: 3 ms [INFO] CSS loaded from: ":/nomacs/stylesheet.css" [INFO] LAN client created in: 0 ms [INFO] Initialization takes: 51 ms [INFO] "/home/lcl/qa/libraw/KODAK C603 C643 Format 420 CCDI0001.RAW.pgm" loaded in 19 ms A greyscale image is displayed in the last case. $ mem_image RAW_OLYMPUS_C8080.ORF Processing RAW_OLYMPUS_C8080.ORF $ ll *C8080* -rw-r--r-- 1 lcl lcl 12091780 Sep 29 2017 RAW_OLYMPUS_C8080.ORF -rw-r--r-- 1 lcl lcl 24147377 May 15 16:30 RAW_OLYMPUS_C8080.ORF.ppm The PPM file displays as an enlarged version of the original in nomacs. Generate a thumbnail of the original image. $ mem_image -e RAW_OLYMPUS_C8080.ORF Processing RAW_OLYMPUS_C8080.ORF $ display RAW_OLYMPUS_C8080.ORF.thumb.jpg
Whiteboard: (none) => MGA6-64-OK
Thanks yet again Len. Advisory from comment 12.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0242.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
0.18.9 fixed CVE-2018-5807 and CVE-2018-581[0-2]: https://bugzilla.suse.com/show_bug.cgi?id=1103361 https://bugzilla.suse.com/show_bug.cgi?id=1103353 https://bugzilla.suse.com/show_bug.cgi?id=1103359 https://bugzilla.suse.com/show_bug.cgi?id=1103360 0.18.11 fixed CVE-2018-5813: https://bugzilla.redhat.com/show_bug.cgi?id=1609954 openSUSE has issued an advisory for this today (August 10): https://lists.opensuse.org/opensuse-updates/2018-08/msg00068.html
0.18.9 also fixed CVE-2018-5808: https://www.debian.org/lts/security/2022/dla-2903