libraw 0.18.7 fixed CVE-2018-5801 (among other things) and dcraw is also affected. Fedora has issued an advisory for this on June 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/B4QRYU6SJD34FIOACDR2QA5F4C3CWPOB/ Fedora added a patch to 9.28 to fix this: https://src.fedoraproject.org/cgit/rpms/dcraw.git/commit/?id=450f33d6fd161306d629a9b7c6f08364b6e2b311 See also Bug 21757 for some older issues that may or may not have been fixed. Mageia 5 and Mageia 6 are also affected.
Status comment: (none) => Patch available from FedoraCVE: (none) => CVE-2018-5801Whiteboard: (none) => MGA6TOOSee Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21757
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Fixed in mga7.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
There's also CVE-2018-1956[5-8]: https://www.openwall.com/lists/oss-security/2018/11/27/1
Whiteboard: (none) => MGA6TOOVersion: 6 => Cauldron
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Depends on: (none) => 24107
(In reply to David Walser from comment #3) > There's also CVE-2018-1956[5-8]: > https://www.openwall.com/lists/oss-security/2018/11/27/1 Moved to Bug 24107.
dcraw-9.26.0-1.1 was submitted to mga6 core/updates testing.
Advisory: ======================== Updated dcraw packages fix security vulnerability: A NULL pointer dereference flaw was found in the way dcraw processed images. An attacker could potentially use this flaw to crash dcraw by tricking it into processing crafted images (CVE-2018-5801). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5801 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/B4QRYU6SJD34FIOACDR2QA5F4C3CWPOB/ ======================== Updated packages in core/updates_testing: ======================== dcraw-9.27.0-1.1.mga6 dcraw-gimp2.0-9.27.0-1.1.mga6 from dcraw-9.27.0-1.1.mga6.src.rpm
Depends on: 24107 => (none)Assignee: shlomif => qa-bugsSee Also: https://bugs.mageia.org/show_bug.cgi?id=21757 => (none)CC: (none) => shlomif
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Ref to bug 15926 Comment 1 at CLI. $ dcraw -iv *.ORF P7212389.ORF is een Olympus E-500 afbeelding. P7212390.ORF is een Olympus E-500 afbeelding. P7212391.ORF is een Olympus E-500 afbeelding. P7212392.ORF is een Olympus E-500 afbeelding. and $ strace -o dcraw.txt gimp and opening an ORF file in gimp, shows in the trace: lstat64("/usr/lib/gimp/2.0/plug-ins/rawphoto", {st_mode=S_IFREG|0755, st_size=15068, ...}) = 0 access("/usr/lib/gimp/2.0/plug-ins/rawphoto", X_OK) = 0 and picture shows OK. /usr/lib/gimp/2.0/plug-ins/rawphoto is installed by dcraw-gimp2.0
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0017.html
Status: NEW => RESOLVEDResolution: (none) => FIXED