Fedora has issued an advisory on March 29: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RD65NMWZ5OQNUIF7CLGKLDG4LVPPMJY7/ Mageia 7 is also affected.
Status comment: (none) => Patch available from FedoraBlocks: (none) => 24107
Suggested advisory: ======================== The updated packages fix security vulnerabilities: There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack. (CVE-2017-13735) In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_65000_load_raw has been reported in dcraw/dcraw.c and internal/dcraw_common.cpp. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. (CVE-2017-14608) A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file. (CVE-2018-19655) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13735 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14608 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19655 https://bugs.mageia.org/show_bug.cgi?id=21757 ======================== Updated packages in core/updates_testing: ======================== dcraw-9.28.0-2.1.mga7 dcraw-gimp2.0-9.28.0-2.1.mga7 from SRPMS: dcraw-9.28.0-2.1.mga7.src.rpm
Version: Cauldron => 7Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroStatus: NEW => ASSIGNED
Source RPM: dcraw-9.28.0-4.mga8.src.rpm => dcraw-9.28.0-2.mga7.src.rpm
Status comment: Patch available from Fedora => (none)
MGA7-64 Plasma on Lenovo B50 When selectting the dcraw-gimp2.0-9.28.0-2.1.mga7, I get the message: "The following package has to be removed for others to be upgraded: ufraw-gimp-0.22-11.mga7.x86_64 (due to conflicts with dcraw-gimp2.0)" Is that expected?? Proceeding with the installation. When opening a raw file from dolphin with GIMP I get: "Opening '/home/tester7/Pictures/RawORF/KODAK_C603_C643_FORMAT422_CCDI0001.RAW' failed: There is no RAW loader installed to open 'Raw Pentax PEF' files. GIMP currently supports these RAW loaders: - darktable (http://www.darktable.org/), at least 1.7 - RawTherapee (http://rawtherapee.com/), at least 5.2 Please install one of them in order to load RAW files." Opening an ORF (Olympus) and a CR2 (Canon) works OK, but trying a NEF(Nikon) throws the same error as above. I had previously no problems with those files, but I had always the ufraw installed which waas now thrown out. To me this situation is a nogo.
CC: (none) => herman.viaene
The conflicts are what they are, and have nothing to do with does it actually work.
OK, I could live with that, provided all types of RAW where handled, but they are not. In the current situation, chances are that users implementing this update and using the Pentax or Nikon files are left out in the cold.
I'm guessing it's not a regression in this update, just a deficiency in dcraw in general.
I'll try a downgrade tomorrow, as well as add ufraw again to the updated system.
Turns out the pentax raw does not open in gimp with ufraw either. Gimp states it requires either darktable or rawtherapee. Installing rawtherapee, I can handle the files in GIMP, regardless whether dcraw-gimp is present or not. So, in the end the update of dcraw-gimp does not harm anything, that's the best I can say about it. Is that enough to OKit?
Sounds like it.
Whiteboard: (none) => MGA7-64-OK
Then let's validate it. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0157.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
*** Bug 21757 has been marked as a duplicate of this bug. ***