Bug 1853477 (CVE-2020-15503)
Summary: | CVE-2020-15503 LibRaw: lack of thumbnail size range check can lead to buffer overflow | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | debarshir, dingyichen, gwync, hobbes1069, jridky, manisandro, nphilipp, siddharth.kde, siddhesh, than | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | LibRaw 0.20-RC1 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-11-04 02:26:17 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1853478, 1853479, 1853528, 1853529 | ||||||
Bug Blocks: | 1852094 | ||||||
Attachments: |
|
Description
Guilherme de Almeida Suckevicz
2020-07-02 18:57:22 UTC
Created LibRaw tracking bugs for this issue: Affects: fedora-all [bug 1853478] Created mingw-LibRaw tracking bugs for this issue: Affects: fedora-all [bug 1853479] This flaw exists in libraw_cxx.cpp instead of the files listed in the upstream patch. The vulnerable methods LibRaw::dcraw_make_mem_thumb() and LibRaw::kodak_thumb_loader(), and LibRaw::unpack_thumb() exist there in LibRaw 0.19.4 and 0.19.5 which are shipped in RHEL-7 and RHEL-8 respectively. LibRaw is used in UI code within RHEL (kdegraphics, shotwell). In this case, an attacker would need to provide a crafted image file to a user to be processed by LibRaw using one of these UI applications. However, if LibRaw were used in an application that was provided untrusted input over a network, there would be more impact here. Statement: While the vulnerable code exists in versions of LibRaw shipped with Red Hat Enterprise Linux 7 and 8, LibRaw is not used in services which accept data directly from a network, reducing impact. Created attachment 1699874 [details]
Backported patch
This is my backport of the upstream fix for this CVE, I've applied it to Fedora 31 and 32 for 0.19.5.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4451 https://access.redhat.com/errata/RHSA-2020:4451 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15503 |