Bug 1661604 (CVE-2018-5819)

Summary: CVE-2018-5819 LibRaw: DoS in parse_sinar_ia function in internal/dcraw_common.cpp
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: debarshir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20181213,reported=20181217,source=internet,cvss3=3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L,cwe=CWE-400,fedora-28/LibRaw=affected,fedora-all/mingw-LibRaw=affected,epel-6/LibRaw=affected,rhel-7/LibRaw=affected,rhel-8/LibRaw=affected
Fixed In Version: LibRaw 0.19.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1543597, 1661605, 1661607, 1654688, 1661606, 1663163, 1663164    
Bug Blocks: 1661524    

Description Laura Pardo 2018-12-21 17:55:20 UTC
LibRaw is vulnerable to a denial of service, caused by a flaw in the parse_sinar_ia function in internal/dcraw_common.cpp. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.


References:
https://www.flexera.com/company/secunia-research/advisories/SR-2018-27.html

Comment 1 Laura Pardo 2018-12-21 17:55:40 UTC
Created LibRaw tracking bugs for this issue:

Affects: epel-6 [bug 1661607]
Affects: fedora-28 [bug 1661605]


Created mingw-LibRaw tracking bugs for this issue:

Affects: fedora-all [bug 1661606]

Comment 2 Riccardo Schirone 2019-01-03 10:26:19 UTC
Upstream patch:
https://github.com/LibRaw/LibRaw/commit/e67a9862d10ebaa97712f532eca1eb5e2e410a22

Comment 3 Riccardo Schirone 2019-01-03 10:31:32 UTC
Function parse_sinar_ia() execute a loop for X times, where X is read from the file and is not properly checked. By providing a very large number (or a negative one) it is possible to execute the loop many time and waste resources.

Comment 7 Debarshi Ray 2019-02-01 13:54:15 UTC
Fixed in LibRaw-0.19.1