Bug 968385 (CVE-2013-2126)
Summary: | CVE-2013-2126 LibRaw: double-free flaw when handling damaged full-color in Foveon and sRAW files | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alekcejk, dvratil, extras-orphan, gwync, jlieskov, jreznik, kevin, ltinkl, madko, rdieter, rnovacek, siddharth.kde, smparrish, than |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | LibRaw 0.15.2 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-12-24 16:56:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 968387, 970710, 970713, 984464 | ||
Bug Blocks: |
Description
Vincent Danen
2013-05-29 15:24:14 UTC
Created LibRaw tracking bugs for this issue Affects: fedora-all [bug 968387] This seems to affect 0.15.x branch only, we ship only 0.14.x currently. Can you verify? This has been assigned CVE-2013-2126 as per: http://www.openwall.com/lists/oss-security/2013/05/29/7 (In reply to Jon Ciesla from comment #2) > This seems to affect 0.15.x branch only, we ship only 0.14.x currently. Can > you verify? No, it's just in a different place: 798 // allocate image as temporary buffer, size. 799 imgdata.rawdata.raw_alloc = calloc(S.iwidth*S.iheight,sizeof(*imgdata.image)); 800 imgdata.image = (ushort (*)[4]) imgdata.rawdata.raw_alloc; But I can't tell if that means it's still problematic or not, or where the second hunk would be applied (the patch doesn't really show where the two free()'s are, and I'm not able to look at it closer right now. I think that _maybe_ it affects 0.14.x -- I can't definitively say one way or the other. Upstream indicated that 0.14.x is definitely affected: "0.14.x (but not 0.13.x and prior) are affected by double free() on same pointer" Upstream has kindly made this patch available for 0.14.x: https://github.com/LibRaw/LibRaw/commit/c14ae36d28e80139b2f31b5d9d7623db3b597a3a darktable also embeds 0.14.x so needs to be fixed. Created darktable tracking bugs for this issue Affects: fedora-all [bug 970710] OpenGTL also embeds LibRaw, as does digikam. OpenGTL embeds 0.10.0 and digikam embeds 0.15.0. OpenGTL does not look affected (the code is quite different but doesn't seem to be problematic), but digikam will need to be updated also. Created libkdcraw tracking bugs for this issue Affects: fedora-all [bug 970713] digikam built against system libkdcraw from KDE SC. This issue affects the versions of the libkdcraw package, as shipped with Fedora release of 17, 18, and 19. Please schedule an update (use child bug listed in c#10 of this bug to schedule that one). -- This issue did NOT affect the version of the libkdcraw package, as shipped with Fedora EPEL-5 (the embedded LibRaw library does not contain relevant vulnerable code part yet). i'm working on the update for libkdcraw |