CVEs have been assigned for security issues in dcraw: https://www.openwall.com/lists/oss-security/2018/11/27/1 Mageia 6 is also affected.
Blocks: (none) => 23252Whiteboard: (none) => MGA6TOO
Blocks: 23252 => (none)
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21757
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
See also bug 21757; Re-assigning globally due to change to no specific maintainer.
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOOAssignee: shlomif => pkg-bugs
See Also: https://bugs.mageia.org/show_bug.cgi?id=21757 => (none)Blocks: (none) => 21757
Depends on: (none) => 26406
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
Status comment: (none) => No fix available as of end of 2020
to see if this is still really valid, does someone know how to test this ? I would like to do it myself
CC: (none) => mageia
CC: (none) => tarazed25
They are valid, but you need to build with asan to test...not really practical.
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
openSUSE has issued an advisory for this on April 20: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YDVWQ5ZUMZUOMBBPVXPXX6XNCBNZ2BMJ/ It fixes these issues and some additional issues.
Status comment: No fix available as of end of 2020 => Patches available from openSUSESummary: dcraw new security issues CVE-2018-1956[5-8] => dcraw new security issues CVE-2018-1956[5-8], CVE-2018-580[56], CVE-2021-3624
Suggested advisory: ======================== The updated package fixes security vulnerabilities: A buffer over-read in crop_masked_pixels in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak private information. (CVE-2018-19565) A heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak private information. (CVE-2018-19566) A floating point exception in parse_tiff_ifd in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code. (CVE-2018-19567) A floating point exception in kodak_radc_load_raw in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code. (CVE-2018-19568) A boundary error within the "quicktake_100_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to cause a stack-based buffer overflow and subsequently cause a crash. (CVE-2018-5805) An error within the "leaf_hdr_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to trigger a NULL pointer dereference. (CVE-2018-5806) There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system. (CVE-2021-3624) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19565 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19566 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19567 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19568 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5805 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5806 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3624 https://www.openwall.com/lists/oss-security/2018/11/27/1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YDVWQ5ZUMZUOMBBPVXPXX6XNCBNZ2BMJ/ ======================== Updated packages in core/updates_testing: ======================== dcraw-9.28.0-6.1.mga8 from SRPM: dcraw-9.28.0-6.1.mga8.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Status comment: Patches available from openSUSE => (none)Source RPM: (none) => dcraw-9.28.0-6.mga8.src.rpm
A query about this update: Reading the side note at https://seclists.org/oss-sec/2018/q4/171; it implies that updating dcraw might not benefit those packages which depend on bundled dcraw code, such as RawTherapee. So, should we expect an update for the latter some time soon? Updated dcraw successfully. Tried gwenview on a Kodak RAW file and it crashed without displaying the image. org.kde.kdegraphics.gwenview.lib: Unresolved raw mime type "image/x-samsung-srw" Couldn't start kuiserver from org.kde.kuiserver.service:...... Segmentation fault (core dumped) Wth an ORF file the image appeared but the application crashed in the same way. gthumb fared better. It displays the ORF files without any fuss. RAW files are not displayed but at least gthumb does not crash. $ strace -o gthumb.trace gthumb [...] openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/raw_files.extension", O_RDONLY) = 28 read(28, "[Extension]\nName[bs]=Raw format "..., 4096) = 3705 ... openat(AT_FDCWD, "/lib64/libraw.so.20", O_RDONLY|O_CLOEXEC) = 27 writev(6, [{iov_base="\20\0\7\0\23\0@\4_NET_WM_FRAME_DRAWN\0", iov_len=28}, {iov_base=NULL, iov_len=0}, {iov_base="", iov_len=0}], 3) = 28 ... dcraw is not listed. $ urpmq --whatrequires-recursive dcraw | sort -u dcraw fotoxx pfscalibration fotoxx pulls in ufraw and rawtherapee. The latter uses bundled dcraw code. $ urpmq --requires-recursive fotoxx | sort -u | grep raw dcraw lib64raw1394_11 rawtherapee ufraw ufraw-batch Ran fotoxx. It indexed all the .RAW files in the selected directory but ignored .ORF. The thumbnails looked fine and show the full image when clicked. Warped one of the RAW images and saved it as a TIFF image which displayed OK but note that fotoxx segfaulted. Could find no useful information in the strace. I did not perform a regression test so find it difficult to draw any conclusions from all this. It could do with some testing by other users.
Before update: Tried another machine using the same set of images before updating. gwenview handled the .ORF files without any problem but the crash occurred on exit. RAW files cause gwenview to crash when trying to display the thumbnails. gthumb can deal with .ORF files but does not show .RAW images. No crash. fotoxx failed to index the selected directory but could see the RAW images and present thumbnails. Warped one of the files and saved it as a JPEG. fotoxx closed down tidily. No problems with rawtherapee. Comparing these tests with the earlier ones might suggest that gwenview is unreliable before and afterwards and that there is a possible regression with gthumb and fotoxx. Shall update on this system to check that.
Continuation from comment 9. Confirmed that gwenview regresses when dcraw is updated. The interface crashes immediately when opened in the RAW directory. gthumb does not see the RAW files but displays the ORF images. Closes normally. fotoxx displays the .RAW images and derived images *.{ppm,tif,jpg,png} but not .ORF. Normal exit. rawtherapee works for .RAW and .ORF. So, gthumb, fotoxx and rawtherapee behave as before. gwenview is consistent.
Confirm Len's observation: my ORF (olympusraw format) displays OK with gwenview, as the Nikon ones (go them from Len I think ages ago), but the KODAK_C603_C643_FORMAT422_CCDI0001.RAW file does not. Tried to open that one in other programs and got some surprise: Rawtherapee seems to displey some left bottom corner of the image, just the corner of some device with the name Paper Pro, and that's about it. Opening the same file with ristretto, opens a larger portion, a children drawing partly cut off, a picture of an old 2CV Ciroen, and a text "Bonne Année", but mirrored. It seems some margins are cut off.
CC: (none) => herman.viaene
Followed up the various reports and found a PoC for CVE-2021-3624 which can be downloaded at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984761. The patch should fix an integer overflow vulnerability. $ dcraw dcraw-poc.X3F Potential buffer overflow (meta_length 1597603840, wide 65536, high 2495780049). Bailing out... Looks like it does.
It is not clear what is happening with gwenview but in general dcraw appears to work based on comments 10, 11 and 12. In any case there is probably not much more we can do so my inclination is to release this and see if it generates any more bug reports.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 7.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0160.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED