34221 – libraw, digikam and darktable new security issues CVE-2025-4396[1-4]

Bug 34221 - libraw, digikam and darktable new security issues CVE-2025-4396[1-4]

Summary: libraw, digikam and darktable new security issues CVE-2025-4396[1-4]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-04-23 15:25 CEST by Nicolas Salguero
Modified:	2025-12-05 00:30 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	libraw-0.20.2-5.mga9.src.rpm, digikam-8.4.0-1.mga9.src.rpm, darktable-4.6.1-1.mga9.src.rpm
CVE:	CVE-2025-43961, CVE-2025-43962, CVE-2025-43963, CVE-2025-43964
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-04-23 15:25:22 CEST

Fedora has issued an advisory on April 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDAIVZ4BSSDOYXE25CJ6Z7KXPOF4A6GL/

Upstream fixes:
CVE-2025-43961 and CVE-2025-43962: https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2
CVE-2025-43963: https://github.com/LibRaw/LibRaw/commit/be26e7639ecf8beb55f124ce780e99842de2e964
CVE-2025-43964: https://github.com/LibRaw/LibRaw/commit/a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0

Nicolas Salguero 2025-04-23 15:27:52 CEST

CVE: (none) => CVE-2025-43961, CVE-2025-43962, CVE-2025-43963, CVE-2025-43964
Source RPM: (none) => libraw-0.20.2-5.mga9.src.rpm
Status comment: (none) => Patches available from upstream

Comment 1 Lewis Smith 2025-04-24 09:38:20 CEST

Thank you for the patch URLs.
Assigning directly to DavidG who mostly commits this pkg.

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2025-05-02 09:01:02 CEST

Fedora has issued an advisory on April 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMNI4GAUYVWHWJ2MPCIEMWUBTIM32E2H/

Bundled libraw in digikam also needs to be patched or updated.

Summary: libraw new security issues CVE-2025-4396[1-4] => libraw and digikam new security issues CVE-2025-4396[1-4]
Whiteboard: (none) => MGA9TOO
Source RPM: libraw-0.20.2-5.mga9.src.rpm => libraw-0.20.2-5.mga9.src.rpm, digikam-8.6.0-1.mga10.src.rpm, digikam-8.4.0-1.mga9.src.rpm
Version: 9 => Cauldron

Comment 3 David GEIGER 2025-05-03 08:24:51 CEST

Cauldron fixed with both libraw and digikam!

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Comment 4 Nicolas Salguero 2025-07-04 15:38:43 CEST

Fedora has issued an advisory on July 4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3I3BWKSTHKFJDS7ZRYZSMCPXZLSPJKIW/

Summary: libraw and digikam new security issues CVE-2025-4396[1-4] => libraw, digikam and darktable new security issues CVE-2025-4396[1-4]
Source RPM: libraw-0.20.2-5.mga9.src.rpm, digikam-8.6.0-1.mga10.src.rpm, digikam-8.4.0-1.mga9.src.rpm => libraw-0.20.2-5.mga9.src.rpm, digikam-8.4.0-1.mga9.src.rpm, darktable-4.6.1-1.mga9.src.rpm

Comment 5 Nicolas Salguero 2025-11-19 11:12:09 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In LibRaw before 0.21.4, metadata/tiff.cpp has an out-of-bounds read in the Fujifilm 0xf00c tag parser. (CVE-2025-43961)

In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp has out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations. (CVE-2025-43962)

In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp allows out-of-buffer access because split_col and split_row values are not checked in 0x041f tag processing. (CVE-2025-43963)

In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct in decoders/load_mfbacks.cpp does not enforce minimum w0 and w1 values. (CVE-2025-43964)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDAIVZ4BSSDOYXE25CJ6Z7KXPOF4A6GL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMNI4GAUYVWHWJ2MPCIEMWUBTIM32E2H/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3I3BWKSTHKFJDS7ZRYZSMCPXZLSPJKIW/
========================

Updated packages in core/updates_testing:
========================
lib(64)raw-devel-0.20.2-5.1.mga9
lib(64)raw20-0.20.2-5.1.mga9
lib(64)raw_r20-0.20.2-5.1.mga9
libraw-tools-0.20.2-5.1.mga9

digikam-8.4.0-1.1.mga9
lib(64)digikam-devel-8.4.0-1.1.mga9
lib(64)digikamcore8.4.0-8.4.0-1.1.mga9
lib(64)digikamdatabase8.4.0-8.4.0-1.1.mga9
lib(64)digikamgui8.4.0-8.4.0-1.1.mga9
showfoto-8.4.0-1.1.mga9

darktable-4.6.1-1.2.mga9
darktable-tools-basecurve-4.6.1-1.2.mga9
darktable-tools-noise-4.6.1-1.2.mga9

from SRPMS:
libraw-0.20.2-5.1.mga9.src.rpm
digikam-8.4.0-1.1.mga9.src.rpm
darktable-4.6.1-1.2.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Patches available from upstream => (none)
Assignee: geiger.david68210 => qa-bugs

Comment 6 Herman Viaene 2025-11-20 11:41:46 CET

MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
For darktable ref bug 32887.
Opened darktable, imported some raw files, picked one to put a watermark on it. Closed and reopened darktable, change is OK.
For digikam, opened same set of raw files, opened one in the Imageditor, flipped it vertically and changed as a new version. This one displays OK in gwenview.
For libraw ref bug 31594 Comment 3
$ multirender_test RAW_NIKON_E5700_SRGB.NEF
Processing file RAW_NIKON_E5700_SRGB.NEF
Writing file RAW_NIKON_E5700_SRGB.NEF.1.ppm
Writing file RAW_NIKON_E5700_SRGB.NEF.2.ppm
Writing file RAW_NIKON_E5700_SRGB.NEF.3.ppm
Writing file RAW_NIKON_E5700_SRGB.NEF.4.ppm
Writing file RAW_NIKON_E5700_SRGB.NEF.5.ppm
Writing file RAW_NIKON_E5700_SRGB.NEF.6.ppm
Writing file RAW_NIKON_E5700_SRGB.NEF.7.ppm
Writing file RAW_NIKON_E5700_SRGB.NEF.8.ppm
$ postprocessing_benchmark -R 20 RAW_NIKON_E5700_SRGB.NEF
Processing file RAW_NIKON_E5700_SRGB.NEF

251.5 msec for unpack
Performance: 0.71 Mpix/sec
File: RAW_NIKON_E5700_SRGB.NEF, Frame: 0 5.0 total Mpix, 7021.1 msec
Params: WB=default Highlight=0 Qual=-1 HalfSize=No Median=0 Wavelet=0
Crop: 0-0:1924x2576, active Mpix: 4.96, 0.1 frames/sec
$ raw-identify *.ORF
P7212389.ORF is a Olympus E-500 image.
P7212390.ORF is a Olympus E-500 image.
P7212391.ORF is a Olympus E-500 image.
P7212392.ORF is a Olympus E-500 image.
RAW_OLYMPUS_SP350.ORF is a Olympus SP350 image.
$ unprocessed_raw RAW_CANON_EOS_700D.CR2
Processing file RAW_CANON_EOS_700D.CR2
Image size: 5208x3476
Raw size: 5280x3528
Margins: top=52, left=72
Unpacked....
Stored to file RAW_CANON_EOS_700D.CR2.pgm
displayed all resulting files OK with gwenview

$ unprocessed_raw -g RAW_NI*
Processing file RAW_NIKON_E5700_SRGB.NEF
Image size: 2576x1924
Raw size: 2576x1924
Margins: top=0, left=0
Unpacked....
Gamma-corrected....
Stored to file RAW_NIKON_E5700_SRGB.NEF.pgm
Processing file RAW_NIKON_E5700_SRGB.NEF.1.ppm
Cannot open RAW_NIKON_E5700_SRGB.NEF.1.ppm: Unsupported file format or not RAW file
Processing file RAW_NIKON_E5700_SRGB.NEF.2.ppm
Cannot open RAW_NIKON_E5700_SRGB.NEF.2.ppm: Unsupported file format or not RAW file
Processing file RAW_NIKON_E5700_SRGB.NEF.3.ppm
Cannot open RAW_NIKON_E5700_SRGB.NEF.3.ppm: Unsupported file format or not RAW file
Processing file RAW_NIKON_E5700_SRGB.NEF.4.ppm
Cannot open RAW_NIKON_E5700_SRGB.NEF.4.ppm: Unsupported file format or not RAW file
Processing file RAW_NIKON_E5700_SRGB.NEF.5.ppm
Cannot open RAW_NIKON_E5700_SRGB.NEF.5.ppm: Unsupported file format or not RAW file
Processing file RAW_NIKON_E5700_SRGB.NEF.6.ppm
Cannot open RAW_NIKON_E5700_SRGB.NEF.6.ppm: Unsupported file format or not RAW file
Processing file RAW_NIKON_E5700_SRGB.NEF.7.ppm
Cannot open RAW_NIKON_E5700_SRGB.NEF.7.ppm: Unsupported file format or not RAW file
Processing file RAW_NIKON_E5700_SRGB.NEF.8.ppm
Cannot open RAW_NIKON_E5700_SRGB.NEF.8.ppm: Unsupported file format or not RAW file

This is different from bug 31594, there all ppm files processed OK. Something missing in the installation??

$ unprocessed_raw -g RAW_NIKON_E5700_SRGB.NEF
Processing file RAW_NIKON_E5700_SRGB.NEF
Image size: 2576x1924
Raw size: 2576x1924
Margins: top=0, left=0
Unpacked....
Gamma-corrected....
Stored to file RAW_NIKON_E5700_SRGB.NEF.pgm
$ gthumb *.ORF

(process:100537): GLib-GIO-WARNING **: 11:27:30.801: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here. Only the non-desktop-specific mimeapps.list file may add or remove associations.
Segmentation fault (core dumped)

This sis better than on bug 31594, as the gthumb ooerates correctly. The segmentation fault lonly occurs after closing gthumb

$ mem_image -6 RAW_CANON_EOS_700D.CR2
Processing RAW_CANON_EOS_700D.CR2
$ simple_dcraw -L | wc -l
1118

This all OK, except the issue with the ppm files, but I feel this should not stop the OK as the files play OK with gwenview.

CC: (none) => herman.viaene

katnatek 2025-11-20 20:55:07 CET

Keywords: (none) => advisory

Comment 7 Thomas Andrews 2025-11-21 17:31:40 CET

The ppm issue bothers me in principle. It worked before, now it doesn't. Do we have any idea why?

CC: (none) => andrewsfarm

Comment 8 Herman Viaene 2025-11-24 11:10:31 CET

I don't understand either. The ppm files display correctly in gwenview, gimp and in both showfoto and darktable which are part of this update.

katnatek 2025-11-24 18:52:50 CET

Keywords: (none) => feedback

Comment 9 katnatek 2025-12-03 02:19:24 CET

Returning to packager and CC to all packagers

Assignee: qa-bugs => nicolas.salguero
CC: (none) => pkg-bugs

Comment 10 Nicolas Salguero 2025-12-03 11:14:30 CET

(In reply to Herman Viaene from comment #6)
> $ unprocessed_raw -g RAW_NI*
> Processing file RAW_NIKON_E5700_SRGB.NEF
> Image size: 2576x1924
> Raw size: 2576x1924
> Margins: top=0, left=0
> Unpacked....
> Gamma-corrected....
> Stored to file RAW_NIKON_E5700_SRGB.NEF.pgm
> Processing file RAW_NIKON_E5700_SRGB.NEF.1.ppm
> Cannot open RAW_NIKON_E5700_SRGB.NEF.1.ppm: Unsupported file format or not
> RAW file
> Processing file RAW_NIKON_E5700_SRGB.NEF.2.ppm
> Cannot open RAW_NIKON_E5700_SRGB.NEF.2.ppm: Unsupported file format or not
> RAW file
> Processing file RAW_NIKON_E5700_SRGB.NEF.3.ppm
> Cannot open RAW_NIKON_E5700_SRGB.NEF.3.ppm: Unsupported file format or not
> RAW file
> Processing file RAW_NIKON_E5700_SRGB.NEF.4.ppm
> Cannot open RAW_NIKON_E5700_SRGB.NEF.4.ppm: Unsupported file format or not
> RAW file
> Processing file RAW_NIKON_E5700_SRGB.NEF.5.ppm
> Cannot open RAW_NIKON_E5700_SRGB.NEF.5.ppm: Unsupported file format or not
> RAW file
> Processing file RAW_NIKON_E5700_SRGB.NEF.6.ppm
> Cannot open RAW_NIKON_E5700_SRGB.NEF.6.ppm: Unsupported file format or not
> RAW file
> Processing file RAW_NIKON_E5700_SRGB.NEF.7.ppm
> Cannot open RAW_NIKON_E5700_SRGB.NEF.7.ppm: Unsupported file format or not
> RAW file
> Processing file RAW_NIKON_E5700_SRGB.NEF.8.ppm
> Cannot open RAW_NIKON_E5700_SRGB.NEF.8.ppm: Unsupported file format or not
> RAW file

In fact, when I looked carefully to bug 31594, the command "unprocessed_raw -g ..." only applies to "RAW_NIKON_E5700_SRGB.NEF" the ppm files are not raw files.

Assignee: nicolas.salguero => qa-bugs
Keywords: feedback => (none)

Comment 11 Thomas Andrews 2025-12-03 16:24:29 CET

If I'm understanding this correctly, you are saying that the command in Herman's tests in both bugs actually did the same thing, but there is informational feedback to the terminal now where there wasn't any before? 

(Making the new behavior a 'feature' rather than a 'regression'?)

Comment 12 Nicolas Salguero 2025-12-03 16:27:21 CET

(In reply to Thomas Andrews from comment #11)
> If I'm understanding this correctly, you are saying that the command in
> Herman's tests in both bugs actually did the same thing, but there is
> informational feedback to the terminal now where there wasn't any before? 

No I am just saying that, in bug 31594, the test command was not "unprocessed_raw -g RAW_NI*" but was "unprocessed_raw -g RAW_NIKON_E5700_SRGB.NEF"

Comment 13 Thomas Andrews 2025-12-03 17:00:23 CET

Ah.

Sometimes I can be rather dense. Please forgive me.

Comment 14 katnatek 2025-12-03 19:57:44 CET

Then should be OK, What do you thimk Herman?

Comment 15 Herman Viaene 2025-12-04 09:11:35 CET

I can go with you.

Whiteboard: (none) => MGA9-64-OK

Comment 16 Thomas Andrews 2025-12-04 16:55:34 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Mageia Robot 2025-12-05 00:30:09 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0316.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.