Bug 968385 - (CVE-2013-2126) CVE-2013-2126 LibRaw: double-free flaw when handling damaged full-color in Foveon and sRAW files
CVE-2013-2126 LibRaw: double-free flaw when handling damaged full-color in Fo...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130524,repor...
: Security
Depends On: 968387 970710 970713 984464
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-29 11:24 EDT by Vincent Danen
Modified: 2015-10-15 13:52 EDT (History)
14 users (show)

See Also:
Fixed In Version: LibRaw 0.15.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-24 11:56:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-05-29 11:24:14 EDT
LibRaw 0.15.2 notes the following fix [1]:

* Fixed possible double call to free() on error recovery on damaged full-color (Foveon, sRAW) files.

Successful exploitation could allow for the execution of arbitrary code with the privileges of the user running an application linked to LibRaw.

This has been fixed in LibRaw 0.15.2 [2].

[1] http://www.libraw.org/news/libraw-0-15-2
[2] https://github.com/LibRaw/LibRaw/commit/19ffddb0fe1a4ffdb459b797ffcf7f490d28b5a6
Comment 1 Vincent Danen 2013-05-29 11:27:17 EDT
Created LibRaw tracking bugs for this issue

Affects: fedora-all [bug 968387]
Comment 2 Jon Ciesla 2013-05-29 11:28:52 EDT
This seems to affect 0.15.x branch only, we ship only 0.14.x currently.  Can you verify?
Comment 3 Vincent Danen 2013-05-29 17:18:13 EDT
This has been assigned CVE-2013-2126 as per:

http://www.openwall.com/lists/oss-security/2013/05/29/7
Comment 4 Vincent Danen 2013-05-29 18:39:22 EDT
(In reply to Jon Ciesla from comment #2)
> This seems to affect 0.15.x branch only, we ship only 0.14.x currently.  Can
> you verify?

No, it's just in a different place:

 798                 // allocate image as temporary buffer, size.
 799                 imgdata.rawdata.raw_alloc = calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
 800                 imgdata.image = (ushort (*)[4]) imgdata.rawdata.raw_alloc;

But I can't tell if that means it's still problematic or not, or where the second hunk would be applied (the patch doesn't really show where the two free()'s are, and I'm not able to look at it closer right now.  I think that _maybe_ it affects 0.14.x -- I can't definitively say one way or the other.
Comment 5 Vincent Danen 2013-05-30 10:19:39 EDT
Upstream indicated that 0.14.x is definitely affected:

"0.14.x (but not 0.13.x and prior) are affected by double free() on same pointer"
Comment 6 Vincent Danen 2013-05-31 12:07:21 EDT
Upstream has kindly made this patch available for 0.14.x:

https://github.com/LibRaw/LibRaw/commit/c14ae36d28e80139b2f31b5d9d7623db3b597a3a
Comment 7 Vincent Danen 2013-06-04 12:43:53 EDT
darktable also embeds 0.14.x so needs to be fixed.
Comment 8 Vincent Danen 2013-06-04 12:44:46 EDT
Created darktable tracking bugs for this issue

Affects: fedora-all [bug 970710]
Comment 9 Vincent Danen 2013-06-04 12:47:24 EDT
OpenGTL also embeds LibRaw, as does digikam.   OpenGTL embeds 0.10.0 and digikam embeds 0.15.0.  OpenGTL does not look affected (the code is quite different but doesn't seem to be problematic), but digikam will need to be updated also.
Comment 10 Vincent Danen 2013-06-04 12:52:26 EDT
Created libkdcraw tracking bugs for this issue

Affects: fedora-all [bug 970713]
Comment 11 nucleo 2013-06-04 12:54:40 EDT
digikam built against system libkdcraw from KDE SC.
Comment 14 Jan Lieskovsky 2013-07-15 06:03:32 EDT
This issue affects the versions of the libkdcraw package, as shipped with Fedora release of 17, 18, and 19. Please schedule an update (use child bug listed in c#10 of this bug to schedule that one).

--

This issue did NOT affect the version of the libkdcraw package, as shipped with Fedora EPEL-5 (the embedded LibRaw library does not contain relevant vulnerable code part yet).
Comment 15 Ngo Than 2013-07-15 09:10:59 EDT
i'm working on the update for libkdcraw

Note You need to log in before you can comment on or make changes to this bug.