Bug 24094 - libraw new security issues CVE-2018-20337, CVE-2018-2036[3-5], and CVE-2018-581[7-9]
Summary: libraw new security issues CVE-2018-20337, CVE-2018-2036[3-5], and CVE-2018-5...
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: José Jorge
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-30 01:46 CET by David Walser
Modified: 2019-11-06 21:19 CET (History)
2 users (show)

See Also:
Source RPM: libraw-0.18.13-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-12-30 01:46:55 CET 
Upstream has released version 0.19.2 on December 24, fixing security issues:
https://www.libraw.org/news/libraw-0-19-2-release

Fedora has issued an advisory for this today (December 29):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X3NFQJ4J7TBVSZ7NQJIGKWT545H5JFFK/
Comment 1 Marja Van Waes 2018-12-31 18:13:09 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => lists.jjorge

Comment 2 José Jorge 2018-12-31 19:13:58 CET 
"The POCs exploits inconsistency in Sinar-4Shot files handling. LibRaw 0.19 does not support this files format, so it is not subject of exactly same problem"

AFAI understand, this security issue does not concern also the version 0.18 we provide in MGA6, because it did not know this file format.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 3 David Walser 2018-12-31 19:47:06 CET 
Which of the 4 CVEs is that referring to?  Note that there are 4 issues here.

Resolution: INVALID => (none)
Status: RESOLVED => REOPENED

Comment 4 José Jorge 2019-01-01 16:09:14 CET 
(In reply to David Walser from comment #3)
> Which of the 4 CVEs is that referring to?  Note that there are 4 issues here.

"Three different CVE numbers was assigned for single problem: CVE-2018-20363, CVE-2018-20364, CVE-2018-20365"

The last CVE is fixed with this code, which does not exist in 0.18 : https://github.com/LibRaw/LibRaw/commit/fbf60377c006eaea8d3eca3f5e4c654909dcdfd2

Status: REOPENED => RESOLVED
Resolution: (none) => INVALID

Comment 5 David Walser 2019-01-19 17:23:04 CET 
SUSE has issued an advisory for this on January 18:
http://lists.suse.com/pipermail/sle-security-updates/2019-January/005044.html

As far back 0.15.x is affected.

It also adds more CVEs fixed upstream in 0.19.1.

Status: RESOLVED => REOPENED
Summary: libraw new security issues CVE-2018-20337 and CVE-2018-2036[3-5] => libraw new security issues CVE-2018-20337, CVE-2018-2036[3-5], and CVE-2018-581[7-9]
Resolution: INVALID => (none)

Comment 6 David Walser 2019-02-01 19:38:18 CET 
openSUSE has issued an advisory for this on January 29:
https://lists.opensuse.org/opensuse-updates/2019-01/msg00099.html
Comment 7 David Walser 2019-08-11 21:33:16 CEST 
Ubuntu has issued an advisory for this on May 21:
https://usn.ubuntu.com/3989-1/
Comment 8 Mike Rambo 2019-11-06 21:19:10 CET 
Mageia 6 is EOL.

CC: (none) => mrambo
Resolution: (none) => OLD
Status: REOPENED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.