Bug 968385 (CVE-2013-2126) - CVE-2013-2126 LibRaw: double-free flaw when handling damaged full-color in Foveon and sRAW files
Summary: CVE-2013-2126 LibRaw: double-free flaw when handling damaged full-color in Fo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2126
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 968387 970710 970713 984464
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-29 15:24 UTC by Vincent Danen
Modified: 2019-09-29 13:05 UTC (History)
14 users (show)

Fixed In Version: LibRaw 0.15.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-24 16:56:08 UTC


Attachments (Terms of Use)

Description Vincent Danen 2013-05-29 15:24:14 UTC
LibRaw 0.15.2 notes the following fix [1]:

* Fixed possible double call to free() on error recovery on damaged full-color (Foveon, sRAW) files.

Successful exploitation could allow for the execution of arbitrary code with the privileges of the user running an application linked to LibRaw.

This has been fixed in LibRaw 0.15.2 [2].

[1] http://www.libraw.org/news/libraw-0-15-2
[2] https://github.com/LibRaw/LibRaw/commit/19ffddb0fe1a4ffdb459b797ffcf7f490d28b5a6

Comment 1 Vincent Danen 2013-05-29 15:27:17 UTC
Created LibRaw tracking bugs for this issue

Affects: fedora-all [bug 968387]

Comment 2 Gwyn Ciesla 2013-05-29 15:28:52 UTC
This seems to affect 0.15.x branch only, we ship only 0.14.x currently.  Can you verify?

Comment 3 Vincent Danen 2013-05-29 21:18:13 UTC
This has been assigned CVE-2013-2126 as per:

http://www.openwall.com/lists/oss-security/2013/05/29/7

Comment 4 Vincent Danen 2013-05-29 22:39:22 UTC
(In reply to Jon Ciesla from comment #2)
> This seems to affect 0.15.x branch only, we ship only 0.14.x currently.  Can
> you verify?

No, it's just in a different place:

 798                 // allocate image as temporary buffer, size.
 799                 imgdata.rawdata.raw_alloc = calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
 800                 imgdata.image = (ushort (*)[4]) imgdata.rawdata.raw_alloc;

But I can't tell if that means it's still problematic or not, or where the second hunk would be applied (the patch doesn't really show where the two free()'s are, and I'm not able to look at it closer right now.  I think that _maybe_ it affects 0.14.x -- I can't definitively say one way or the other.

Comment 5 Vincent Danen 2013-05-30 14:19:39 UTC
Upstream indicated that 0.14.x is definitely affected:

"0.14.x (but not 0.13.x and prior) are affected by double free() on same pointer"

Comment 6 Vincent Danen 2013-05-31 16:07:21 UTC
Upstream has kindly made this patch available for 0.14.x:

https://github.com/LibRaw/LibRaw/commit/c14ae36d28e80139b2f31b5d9d7623db3b597a3a

Comment 7 Vincent Danen 2013-06-04 16:43:53 UTC
darktable also embeds 0.14.x so needs to be fixed.

Comment 8 Vincent Danen 2013-06-04 16:44:46 UTC
Created darktable tracking bugs for this issue

Affects: fedora-all [bug 970710]

Comment 9 Vincent Danen 2013-06-04 16:47:24 UTC
OpenGTL also embeds LibRaw, as does digikam.   OpenGTL embeds 0.10.0 and digikam embeds 0.15.0.  OpenGTL does not look affected (the code is quite different but doesn't seem to be problematic), but digikam will need to be updated also.

Comment 10 Vincent Danen 2013-06-04 16:52:26 UTC
Created libkdcraw tracking bugs for this issue

Affects: fedora-all [bug 970713]

Comment 11 nucleo 2013-06-04 16:54:40 UTC
digikam built against system libkdcraw from KDE SC.

Comment 14 Jan Lieskovsky 2013-07-15 10:03:32 UTC
This issue affects the versions of the libkdcraw package, as shipped with Fedora release of 17, 18, and 19. Please schedule an update (use child bug listed in c#10 of this bug to schedule that one).

--

This issue did NOT affect the version of the libkdcraw package, as shipped with Fedora EPEL-5 (the embedded LibRaw library does not contain relevant vulnerable code part yet).

Comment 15 Ngo Than 2013-07-15 13:10:59 UTC
i'm working on the update for libkdcraw


Note You need to log in before you can comment on or make changes to this bug.