Bug 26406 - dcraw new security issue CVE-2018-19655
Summary: dcraw new security issue CVE-2018-19655
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
: 21757 (view as bug list)
Depends on:
Blocks: 24107
  Show dependency treegraph
Reported: 2020-04-01 00:28 CEST by David Walser
Modified: 2021-01-03 23:37 CET (History)
5 users (show)

See Also:
Source RPM: dcraw-9.28.0-2.mga7.src.rpm
Status comment:


Description David Walser 2020-04-01 00:28:42 CEST
Fedora has issued an advisory on March 29:

Mageia 7 is also affected.
David Walser 2020-04-01 00:29:03 CEST

Status comment: (none) => Patch available from Fedora
Blocks: (none) => 24107

Comment 1 Nicolas Salguero 2020-04-01 22:08:32 CEST
Suggested advisory:

The updated packages fix security vulnerabilities:

There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack. (CVE-2017-13735)

In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_65000_load_raw has been reported in dcraw/dcraw.c and internal/dcraw_common.cpp. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. (CVE-2017-14608)

A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file. (CVE-2018-19655)


Updated packages in core/updates_testing:

from SRPMS:

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero

Nicolas Salguero 2020-04-01 22:09:12 CEST

Source RPM: dcraw-9.28.0-4.mga8.src.rpm => dcraw-9.28.0-2.mga7.src.rpm

David Walser 2020-04-01 22:43:04 CEST

Status comment: Patch available from Fedora => (none)

Comment 2 Herman Viaene 2020-04-02 14:12:39 CEST
MGA7-64 Plasma on Lenovo B50
When selectting the dcraw-gimp2.0-9.28.0-2.1.mga7, I get the message:
"The following package has to be removed for others to be upgraded:
 (due to conflicts with dcraw-gimp2.0)"
Is that expected??
Proceeding with the installation.
When opening a raw file from dolphin with GIMP I get:
"Opening '/home/tester7/Pictures/RawORF/KODAK_C603_C643_FORMAT422_CCDI0001.RAW' failed: There is no RAW loader installed to open 'Raw Pentax PEF' files.

GIMP currently supports these RAW loaders:
- darktable (http://www.darktable.org/), at least 1.7
- RawTherapee (http://rawtherapee.com/), at least 5.2

Please install one of them in order to load RAW files."

Opening an ORF (Olympus) and a CR2 (Canon) works OK, but trying a NEF(Nikon) throws the same error as above.

I had previously no problems with those files, but I had always the ufraw installed which waas now thrown out.
To me this situation is a nogo.

CC: (none) => herman.viaene

Comment 3 David Walser 2020-04-02 14:15:01 CEST
The conflicts are what they are, and have nothing to do with does it actually work.
Comment 4 Herman Viaene 2020-04-02 14:20:46 CEST
OK, I could live with that, provided all types of RAW where handled, but they are not.
In the current situation, chances are that users implementing this update and using the Pentax or Nikon files are left out in the cold.
Comment 5 David Walser 2020-04-02 14:28:28 CEST
I'm guessing it's not a regression in this update, just a deficiency in dcraw in general.
Comment 6 Herman Viaene 2020-04-02 14:39:53 CEST
I'll try a downgrade tomorrow, as well as add ufraw again to the updated system.
Comment 7 Herman Viaene 2020-04-03 11:00:21 CEST
Turns out the pentax raw does not open in gimp with ufraw either. Gimp states it requires either darktable or rawtherapee. Installing rawtherapee, I can handle the files in GIMP, regardless whether dcraw-gimp is present or not.
So, in the end the update of dcraw-gimp does not harm anything, that's the best I can say about it.
Is that enough to OKit?
Comment 8 David Walser 2020-04-03 14:40:17 CEST
Sounds like it.
Herman Viaene 2020-04-03 14:42:15 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 9 Thomas Andrews 2020-04-03 16:15:21 CEST
Then let's validate it. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-04-04 00:15:08 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 10 Mageia Robot 2020-04-04 00:54:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 11 David Walser 2021-01-03 23:37:40 CET
*** Bug 21757 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.