There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984761
Flaw summary: In the foveon_load_camf() function of dcraw.c, `wide` and `high` variables are assigned by getting data from the file (via the get4() function, which reads 4 bytes from the input file). Therefore, a crafted file could control the values of these variables. They are used in the calculation of a size like so: meta_length = wide*high*3/2; meta_data = (char *) malloc (meta_length); Therefore, it's possible for a maliciously crafted file to control the amount of bytes allocated by this malloc() call and for example, make the allocation too small. meta_data is subsequently filled with content from the input file as well. If an attacker is able to leverage this out-of-bounds write flaw to write to a key area in memory, it could potentially lead to code execution.
I am curious why there's no tracking bug for Fedora, because it has the exact same version of LibRaw as RHEL 9 and for that we do have a bug.
Created LibRaw tracking bugs for this issue: Affects: fedora-all [bug 2019614] Created dcraw tracking bugs for this issue: Affects: fedora-all [bug 2019611] Created kf5-libkdcraw tracking bugs for this issue: Affects: fedora-all [bug 2019612] Created mingw-LibRaw tracking bugs for this issue: Affects: fedora-all [bug 2019615] Created rawtherapee tracking bugs for this issue: Affects: fedora-all [bug 2019613]
In reply to comment #8: > I am curious why there's no tracking bug for Fedora, because it has the > exact same version of LibRaw as RHEL 9 and for that we do have a bug. Thanks for pointing this out. I was going through older flaws and noticed this too, then saw your comment. I have no idea why Fedora didn't have trackers filed, especially since it was already marked affected/fix which usually means that trackers get auto-filed... Anyway, I filed them now.