Bug 24107 - dcraw new security issues CVE-2018-1956[5-8], CVE-2018-580[56], CVE-2021-3624
Summary: dcraw new security issues CVE-2018-1956[5-8], CVE-2018-580[56], CVE-2021-3624
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on: 26406
Blocks: 21757
  Show dependency treegraph
Reported: 2019-01-01 05:27 CET by David Walser
Modified: 2022-05-06 22:18 CEST (History)
8 users (show)

See Also:
Source RPM: dcraw-9.28.0-6.mga8.src.rpm
Status comment:


Description David Walser 2019-01-01 05:27:04 CET
CVEs have been assigned for security issues in dcraw:

Mageia 6 is also affected.
David Walser 2019-01-01 05:27:18 CET

Blocks: (none) => 23252
Whiteboard: (none) => MGA6TOO

David Walser 2019-01-02 15:12:32 CET

Blocks: 23252 => (none)

David Walser 2019-01-02 15:13:02 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21757

Comment 1 Marja Van Waes 2019-01-02 20:27:19 CET
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

David Walser 2019-06-23 19:22:55 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 2 Lewis Smith 2019-11-28 16:02:27 CET
See also bug 21757;
Re-assigning globally due to change to no specific maintainer.

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
Assignee: shlomif => pkg-bugs

David Walser 2020-01-14 18:10:47 CET

See Also: https://bugs.mageia.org/show_bug.cgi?id=21757 => (none)
Blocks: (none) => 21757

David Walser 2020-04-01 00:29:03 CEST

Depends on: (none) => 26406

David Walser 2020-12-28 17:09:50 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

David Walser 2020-12-29 00:12:49 CET

Status comment: (none) => No fix available as of end of 2020

Comment 3 Nicolas Lécureuil 2021-03-12 22:25:35 CET
to see if this is still really valid, does someone know how to test this ?

I would like to do it myself

CC: (none) => mageia

Nicolas Lécureuil 2021-03-12 22:25:52 CET

CC: (none) => tarazed25

Comment 4 David Walser 2021-03-12 22:29:57 CET
They are valid, but you need to build with asan to test...not really practical.
Comment 5 David Walser 2021-07-01 18:42:48 CEST
Removing Mageia 7 from whiteboard due to EOL:

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 6 David Walser 2022-04-20 16:50:05 CEST
openSUSE has issued an advisory for this on April 20:

It fixes these issues and some additional issues.

Status comment: No fix available as of end of 2020 => Patches available from openSUSE
Summary: dcraw new security issues CVE-2018-1956[5-8] => dcraw new security issues CVE-2018-1956[5-8], CVE-2018-580[56], CVE-2021-3624

Comment 7 Nicolas Salguero 2022-04-21 11:42:26 CEST
Suggested advisory:

The updated package fixes security vulnerabilities:

A buffer over-read in crop_masked_pixels in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak private information. (CVE-2018-19565)

A heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak private information. (CVE-2018-19566)

A floating point exception in parse_tiff_ifd in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code. (CVE-2018-19567)

A floating point exception in kodak_radc_load_raw in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code. (CVE-2018-19568)

A boundary error within the "quicktake_100_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to cause a stack-based buffer overflow and subsequently cause a crash. (CVE-2018-5805)

An error within the "leaf_hdr_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to trigger a NULL pointer dereference. (CVE-2018-5806)

There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system. (CVE-2021-3624)


Updated packages in core/updates_testing:

from SRPM:

CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Patches available from openSUSE => (none)
Source RPM: (none) => dcraw-9.28.0-6.mga8.src.rpm

Comment 8 Len Lawrence 2022-04-23 12:47:41 CEST
A query about this update:
Reading the side note at https://seclists.org/oss-sec/2018/q4/171; it implies that updating dcraw might not benefit those packages which depend on bundled dcraw code, such as RawTherapee.  So, should we expect an update for the latter some time soon?

Updated dcraw successfully.
Tried gwenview on a Kodak RAW file and it crashed without displaying the image.

org.kde.kdegraphics.gwenview.lib: Unresolved raw mime type  "image/x-samsung-srw"
Couldn't start kuiserver from org.kde.kuiserver.service:......
Segmentation fault (core dumped)
Wth an ORF file the image appeared but the application crashed in the same way.
gthumb fared better.  It displays the ORF files without any fuss.  RAW files are not displayed but at least gthumb does not crash.
$ strace -o gthumb.trace gthumb
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/raw_files.extension", O_RDONLY) = 28
read(28, "[Extension]\nName[bs]=Raw format "..., 4096) = 3705
openat(AT_FDCWD, "/lib64/libraw.so.20", O_RDONLY|O_CLOEXEC) = 27
writev(6, [{iov_base="\20\0\7\0\23\0@\4_NET_WM_FRAME_DRAWN\0", iov_len=28}, {iov_base=NULL, iov_len=0}, {iov_base="", iov_len=0}], 3) = 28

dcraw is not listed.
$ urpmq --whatrequires-recursive dcraw | sort -u

fotoxx pulls in ufraw and rawtherapee.  The latter uses bundled dcraw code.
$ urpmq --requires-recursive fotoxx | sort -u | grep raw

Ran fotoxx.  It indexed all the .RAW files in the selected directory but ignored .ORF.  The thumbnails looked fine and show the full image when clicked.
Warped one of the RAW images and saved it as a TIFF image which displayed OK but note that fotoxx segfaulted.  Could find no useful information in the strace.    

I did not perform a regression test so find it difficult to draw any conclusions from all this.  It could do with some testing by other users.
Comment 9 Len Lawrence 2022-04-23 15:49:24 CEST
Before update:

Tried another machine using the same set of images before updating.  gwenview handled the .ORF files without any problem but the crash occurred on exit.  RAW files cause gwenview to crash when trying to display the thumbnails.

gthumb can deal with .ORF files but does not show .RAW images.  No crash.

fotoxx failed to index the selected directory but could see the RAW images and present thumbnails.  Warped one of the files and saved it as a JPEG.  fotoxx closed down tidily.

No problems with rawtherapee.

Comparing these tests with the earlier ones might suggest that gwenview is unreliable before and afterwards and that there is a possible regression with gthumb and fotoxx.  Shall update on this system to check that.
Comment 10 Len Lawrence 2022-04-23 16:36:34 CEST
Continuation from comment 9.
Confirmed that gwenview regresses when dcraw is updated.  The interface crashes immediately when opened in the RAW directory.

gthumb does not see the RAW files but displays the ORF images.  Closes normally.

fotoxx displays the .RAW images and derived images *.{ppm,tif,jpg,png} but not .ORF.  Normal exit.

rawtherapee works for .RAW and .ORF.

So, gthumb, fotoxx and rawtherapee behave as before.  gwenview is consistent.
Comment 11 Herman Viaene 2022-05-03 17:11:41 CEST
Confirm Len's observation: my ORF (olympusraw format) displays OK with gwenview, as the Nikon ones (go them from Len I think ages ago), but the KODAK_C603_C643_FORMAT422_CCDI0001.RAW file does not.
Tried to open that one in other programs and got some surprise:
Rawtherapee seems to displey some left bottom corner of the image, just the corner of some device with the name Paper Pro, and that's about it.
Opening the same file with ristretto, opens a larger portion, a children drawing partly cut off, a picture of an old 2CV Ciroen, and a text "Bonne Année", but mirrored. It seems some margins are cut off.

CC: (none) => herman.viaene

Comment 12 Len Lawrence 2022-05-04 13:25:02 CEST
Followed up the various reports and found a PoC for CVE-2021-3624 which can be downloaded at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984761.
The patch should fix an integer overflow vulnerability.
$ dcraw dcraw-poc.X3F 
Potential buffer overflow (meta_length 1597603840, wide 65536, high 2495780049). Bailing out...

Looks like it does.
Comment 13 Len Lawrence 2022-05-04 17:38:38 CEST
It is not clear what is happening with gwenview but in general dcraw appears to work based on comments 10, 11 and 12.  In any case there is probably not much more we can do so my inclination is to release this and see if it generates any more bug reports.
Len Lawrence 2022-05-05 00:43:17 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 14 Thomas Andrews 2022-05-06 00:54:19 CEST
Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-06 21:03:56 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 15 Mageia Robot 2022-05-06 22:18:20 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.