SUSE has issued an advisory today (February 24): https://lists.suse.com/pipermail/sle-security-updates/2023-February/013886.html The issue is fixed upstream in 0.21.0/0.21.1: https://www.libraw.org/news/libraw-0-21-release https://www.libraw.org/news/libraw-0-21-1-release Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 0.21.0Whiteboard: (none) => MGA8TOO
No one packager evident for libraw, so assigning this update globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Buffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp. (CVE-2021-32142) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32142 https://lists.suse.com/pipermail/sle-security-updates/2023-February/013886.html ======================== Updated packages in core/updates_testing: ======================== lib(64)raw20-0.20.2-1.1.mga8 lib(64)raw_r20-0.20.2-1.1.mga8 lib(64)raw-devel-0.20.2-1.1.mga8 libraw-tools-0.20.2-1.1.mga8 from SRPM: libraw-0.20.2-1.1.mga8.src.rpm
CC: (none) => nicolas.salgueroSource RPM: libraw-0.20.2-3.mga9.src.rpm => libraw-0.20.2-1.mga8.src.rpmVersion: Cauldron => 8Status comment: Fixed upstream in 0.21.0 => (none)Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDWhiteboard: MGA8TOO => (none)
MGA8-64 MATE on Acer Aspire 5253. No installation issues. Followed largely lead from bug 26933 (tx Len for his files), except I don't have Fujitsy raw files. $ multirender_test RAW_NIKON_E5700_SRGB.NEF Processing file RAW_NIKON_E5700_SRGB.NEF Writing file RAW_NIKON_E5700_SRGB.NEF.1.ppm Writing file RAW_NIKON_E5700_SRGB.NEF.2.ppm Writing file RAW_NIKON_E5700_SRGB.NEF.3.ppm Writing file RAW_NIKON_E5700_SRGB.NEF.4.ppm Writing file RAW_NIKON_E5700_SRGB.NEF.5.ppm Writing file RAW_NIKON_E5700_SRGB.NEF.6.ppm Writing file RAW_NIKON_E5700_SRGB.NEF.7.ppm Writing file RAW_NIKON_E5700_SRGB.NEF.8.ppm $ postprocessing_benchmark -R 20 RAW_NIKON_E5700_SRGB.NEF Processing file RAW_NIKON_E5700_SRGB.NEF 246.3 msec for unpack Performance: 0.48 Mpix/sec File: RAW_NIKON_E5700_SRGB.NEF, Frame: 0 5.0 total Mpix, 10293.2 msec Params: WB=default Highlight=0 Qual=-1 HalfSize=No Median=0 Wavelet=0 Crop: 0-0:1924x2576, active Mpix: 4.96, 0.1 frames/sec $ raw-identify *.ORF P7212389.ORF is a Olympus E-500 image. P7212390.ORF is a Olympus E-500 image. P7212391.ORF is a Olympus E-500 image. P7212392.ORF is a Olympus E-500 image. RAW_OLYMPUS_SP350.ORF is a Olympus SP350 image. $ unprocessed_raw RAW_CANON_EOS_700D.CR2 Processing file RAW_CANON_EOS_700D.CR2 Image size: 5208x3476 Raw size: 5280x3528 Margins: top=52, left=72 Unpacked.... Stored to file RAW_CANON_EOS_700D.CR2.pgm displayed all resulting files OK with ristretto $ unprocessed_raw -g RAW_NI RAW_NIKON_E5700_SRGB.NEF RAW_NIKON_E5700_SRGB.NEF.3.ppm RAW_NIKON_E5700_SRGB.NEF.6.ppm RAW_NIKON_E5700_SRGB.NEF.1.ppm RAW_NIKON_E5700_SRGB.NEF.4.ppm RAW_NIKON_E5700_SRGB.NEF.7.ppm RAW_NIKON_E5700_SRGB.NEF.2.ppm RAW_NIKON_E5700_SRGB.NEF.5.ppm RAW_NIKON_E5700_SRGB.NEF.8.ppm $ unprocessed_raw -g RAW_NIKON_E5700_SRGB.NEF Processing file RAW_NIKON_E5700_SRGB.NEF Image size: 2576x1924 Raw size: 2576x1924 Margins: top=0, left=0 Unpacked.... Gamma-corrected.... Stored to file RAW_NIKON_E5700_SRGB.NEF.pgm $ gthumb *.ORF (gthumb:25508): Gtk-WARNING **: 11:58:52.759: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/tester8/.config/gtk-3.0/window_decorations.css: No such file or directory Segmentation fault (core dumped) This segmentation fault came on leaving gtumb after I selected one of the files [tester8@mach7 RawORF]$ gthumb *.ORF (gthumb:25756): Gtk-WARNING **: 11:59:46.168: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/tester8/.config/gtk-3.0/window_decorations.css: No such file or directory In this cas I just opened gtumb ald saw all expected files and exited. No segfault. $ mem_image -6 RAW_CANON_EOS_700D.CR2 Processing RAW_CANON_EOS_700D.CR2 $ simple_dcraw -L | wc -l 1118 One side remark: gwenview displays all other tiff and jpeg and gif's correctly but bombs out at the generated ppm and pgm files from this test. All work out OK with ristretto. I feel this gwenview issue is no showstopper here.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0082.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED