LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.tlength. Reference and upstream commit: https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d
Created LibRaw tracking bugs for this issue: Affects: fedora-all [bug 1853478] Created mingw-LibRaw tracking bugs for this issue: Affects: fedora-all [bug 1853479]
This flaw exists in libraw_cxx.cpp instead of the files listed in the upstream patch. The vulnerable methods LibRaw::dcraw_make_mem_thumb() and LibRaw::kodak_thumb_loader(), and LibRaw::unpack_thumb() exist there in LibRaw 0.19.4 and 0.19.5 which are shipped in RHEL-7 and RHEL-8 respectively. LibRaw is used in UI code within RHEL (kdegraphics, shotwell). In this case, an attacker would need to provide a crafted image file to a user to be processed by LibRaw using one of these UI applications. However, if LibRaw were used in an application that was provided untrusted input over a network, there would be more impact here.
Statement: While the vulnerable code exists in versions of LibRaw shipped with Red Hat Enterprise Linux 7 and 8, LibRaw is not used in services which accept data directly from a network, reducing impact.
Created attachment 1699874 [details] Backported patch This is my backport of the upstream fix for this CVE, I've applied it to Fedora 31 and 32 for 0.19.5.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4451 https://access.redhat.com/errata/RHSA-2020:4451
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15503