LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.tlength.
Reference and upstream commit:
Created LibRaw tracking bugs for this issue:
Affects: fedora-all [bug 1853478]
Created mingw-LibRaw tracking bugs for this issue:
Affects: fedora-all [bug 1853479]
This flaw exists in libraw_cxx.cpp instead of the files listed in the upstream patch. The vulnerable methods LibRaw::dcraw_make_mem_thumb() and LibRaw::kodak_thumb_loader(), and LibRaw::unpack_thumb() exist there in LibRaw 0.19.4 and 0.19.5 which are shipped in RHEL-7 and RHEL-8 respectively. LibRaw is used in UI code within RHEL (kdegraphics, shotwell). In this case, an attacker would need to provide a crafted image file to a user to be processed by LibRaw using one of these UI applications. However, if LibRaw were used in an application that was provided untrusted input over a network, there would be more impact here.
While the vulnerable code exists in versions of LibRaw shipped with Red Hat Enterprise Linux 7 and 8, LibRaw is not used in services which accept data directly from a network, reducing impact.
Created attachment 1699874 [details]
This is my backport of the upstream fix for this CVE, I've applied it to Fedora 31 and 32 for 0.19.5.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:4451 https://access.redhat.com/errata/RHSA-2020:4451
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):