Bug 26933 - libraw new security issue CVE-2020-15503
Summary: libraw new security issue CVE-2020-15503
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: Mageia 7
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-07-10 20:55 CEST by David Walser
Modified: 2020-09-17 12:16 CEST (History)
4 users (show)

See Also:
Source RPM: libraw-0.19.2-1.mga7.src.rpm
CVE: CVE-2020-15503
Status comment:


Attachments

Description David Walser 2020-07-10 20:55:21 CEST
Fedora has issued an advisory today (July 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DNGDWTO45TU4KGND75EUUEGUMNSOYC7H/

The issue is fixed upstream in 0.20-RC1.

Mageia 7 is also affected.
David Walser 2020-07-10 20:55:38 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-07-16 21:25:43 CEST
Assigning to José, the active maintainer.

Assignee: bugsquad => lists.jjorge

Comment 2 David Walser 2020-08-05 00:38:13 CEST
openSUSE has issued an advisory for this on July 26:
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00075.html
Comment 3 David Walser 2020-08-05 00:54:20 CEST
Same advisory for openSUSE 15.2 from August 2:
https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00001.html
Comment 4 Nicolas Salguero 2020-09-15 16:46:01 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.tlength. (CVE-2020-15503)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15503
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DNGDWTO45TU4KGND75EUUEGUMNSOYC7H/
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00075.html
https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00001.html
========================

Updated packages in core/updates_testing:
========================
libraw-tools-0.19.2-1.1.mga7
lib(64)raw19-0.19.2-1.1.mga7
lib(64)raw_r19-0.19.2-1.1.mga7
lib(64)raw-devel-0.19.2-1.1.mga7

from SRPM:
libraw-0.19.2-1.1.mga7.src.rpm

Assignee: lists.jjorge => qa-bugs
Whiteboard: MGA7TOO => (none)
Source RPM: libraw-0.19.5-2.mga8.src.rpm => libraw-0.19.2-1.mga7.src.rpm
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-15503
Version: Cauldron => 7
CC: (none) => nicolas.salguero

Comment 5 Len Lawrence 2020-09-15 23:40:08 CEST
mga7, x64

CVE-2020-15503
No PoC available according to a Suse report.

Ran a command used before in testing libraw (bug 23186)
$ multirender_test RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF
Writing file RAW_NIKON_D1.NEF.1.ppm
Writing file RAW_NIKON_D1.NEF.2.ppm
Writing file RAW_NIKON_D1.NEF.3.ppm
Writing file RAW_NIKON_D1.NEF.4.ppm
Writing file RAW_NIKON_D1.NEF.5.ppm
Writing file RAW_NIKON_D1.NEF.6.ppm
Writing file RAW_NIKON_D1.NEF.7.ppm
Writing file RAW_NIKON_D1.NEF.8.ppm
The images looked fine.

Updated the four packages.

Ran that test again after deleteing the PPM files.
$ multirender_test RAW_NIKON_D1.NEF
produced a series of PPM files as before, the basic image then transformations as thumbnails, as viewed by ImageMagick.
$ postprocessing_benchmark -R 20 RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF
421.3 msec for unpack
Performance: 16.20 Mpix/sec
File: RAW_NIKON_D1.NEF, Frame: 0 2.7 total Mpix, 164.4 msec
Params:      WB=default Highlight=0 Qual=-1 HalfSize=No Median=0 Wavelet=0
Crop:        0-0:2012x1324, active Mpix: 2.66, 6.1 frames/sec

$ raw-identify RAW_OLYMPUS*.ORF
RAW_OLYMPUS_C8080.ORF is a Olympus C8080WZ image.
RAW_OLYMPUS_E420.ORF is a Olympus E-420 image.
RAW_OLYMPUS_E5.ORF is a Olympus E-5 image.
RAW_OLYMPUS_E-PL7.ORF is a Olympus E-PL7 image.
RAW_OLYMPUS_SP350.ORF is a Olympus SP350 image.

$ unprocessed_raw RAW_FUJI_S5PRO_V106.RAF
Processing file RAW_FUJI_S5PRO_V106.RAF
Image size: 3584x3583
Raw size: 4352x1444
Margins: top=2, left=32
Unpacked....
Stored to file RAW_FUJI_S5PRO_V106.RAF.pgm
$ display RAW_FUJI_S5PRO_V106.RAF.pgm
Rendered OK.
$ unprocessed_raw RAW_CANON_D60_ARGB.CRW
Processing file RAW_CANON_D60_ARGB.CRW
Image size: 3088x2056
Raw size: 3152x2068
Margins: top=12, left=64
Unpacked....
Stored to file RAW_CANON_D60_ARGB.CRW.pgm
$ display ...
The file appeared as a black panel.  ??

The same happened with this:
$ unprocessed_raw RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF
Image size: 2012x1324
Raw size: 2012x1324
Margins: top=0, left=0
Unpacked....
Stored to file RAW_NIKON_D1.NEF.pgm
$ display RAW_NIKON_D1.NEF.pgm

However, with a gamma correction of 2.2 the file displayed, albeit somewhat dimly.
$ unprocessed_raw -g RAW_NIKON_D1.NEF
Processing file RAW_NIKON_D1.NEF
Image size: 2012x1324
Raw size: 2012x1324
Margins: top=0, left=0
Unpacked....
Gamma-corrected....
Stored to file RAW_NIKON_D1.NEF.pgm
$ display RAW_NIKON_D1.NEF.pgm

Note that nomacs requires libraw and can be used to display raw images. It works fine on the local collection of raw images.  gthumb and shotwell can also deal with raw images.
$ gthumb *.ORF
Yep.  Thanks Herman for those - from a previous test.
$ shotwell KODAK*.RAW
That works also.

All this looks fine.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 6 Len Lawrence 2020-09-15 23:51:01 CEST
Found some more commands in an old report.
$ mem_image
mem_image - LibRaw sample, to illustrate work for memory buffers. Emulates dcraw [-4] [-1] [-e] [-h]
Usage: 	-h - use half_size
 [-D] [-T] [-v] [-e] raw-files....
	-6 - output 16-bit PPM
	-4 - linear 16-bit data
	-e - extract thumbnails (same as dcraw -e in separate run)
$ mem_image -6 RAW_FUJI_S6500FD.RAF
Processing RAW_FUJI_S6500FD.RAF
$ display RAW_FUJI_S6500FD.RAF.ppm
OK.
Find the number of supported cameras:
$ simple_dcraw -L | wc -l
1017
Comment 7 Aurelien Oudelet 2020-09-17 06:04:02 CEST
Validated update, Packages and Advisory in Comment 4.

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Aurelien Oudelet 2020-09-17 06:05:06 CEST

Target Milestone: --- => Mageia 7

Comment 8 Mageia Robot 2020-09-17 12:16:54 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0368.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.