Bug 2188240 (CVE-2023-1729)
Summary: | CVE-2023-1729 LibRaw: a heap-buffer-overflow in raw2image_ex() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | alekcejk, bugzilla_throwaway, debarshir, gwync |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() caused by a maliciously crafted file may lead to an application crash.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2188276, 2188274, 2188275, 2188277, 2188282, 2188283, 2188284 | ||
Bug Blocks: | 2175642 |
Description
Marian Rehak
2023-04-20 08:52:02 UTC
Created LibRaw tracking bugs for this issue: Affects: fedora-all [bug 2188274] Created digikam tracking bugs for this issue: Affects: epel-all [bug 2188276] Affects: fedora-all [bug 2188275] Created mingw-LibRaw tracking bugs for this issue: Affects: fedora-all [bug 2188277] I need access to 2175642 if I am to patch LibRaw for Fedora. Hi, could you please provide more information on this CVE? Like a patch or the fixed version? Thanks! (In reply to bugzilla_throwaway from comment #4) > Hi, could you please provide more information on this CVE? Like a patch or > the fixed version? Thanks! Yeah, I can't fix this for RHEL without a reference to a patch or an issue. I don't see any relevant commits in 2023 to the upstream 0.21-stable branch: https://github.com/LibRaw/LibRaw/tree/0.21-stable External reference to issue on https://access.redhat.com/security/cve/CVE-2023-1729 is https://github.com/LibRaw/LibRaw/issues/557 Should I apply fix https://github.com/LibRaw/LibRaw/commit/9ab70f6dca19229cb5caad7cc31af4e7501bac93 to digiKam? I found fix for LibRaw issue https://github.com/LibRaw/LibRaw/commit/9ab70f6dca19229cb5caad7cc31af4e7501bac93 is applied in digiKam 8.0.0 sources https://invent.kde.org/graphics/digikam/-/commit/7ba146e67f3417f325e60343de4a9bc88e81f29b So bug 2188275 can be closed with digiKam update to 8.0.0? (In reply to nucleo from comment #7) > I found fix for LibRaw issue > https://github.com/LibRaw/LibRaw/commit/ > 9ab70f6dca19229cb5caad7cc31af4e7501bac93 > is applied in digiKam 8.0.0 sources > https://invent.kde.org/graphics/digikam/-/commit/ > 7ba146e67f3417f325e60343de4a9bc88e81f29b > > So bug 2188275 can be closed with digiKam update to 8.0.0? Thank you, I'll get a LibRaw update out ASAP. LibRaw backport for 0.21.x: https://github.com/LibRaw/LibRaw/commit/477e0719ffc07190c89b4f3d12d51b1292e75828 |