LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCanonCameraInfo function via a crafted file. Upstream bug: https://github.com/LibRaw/LibRaw/issues/100 Upstream patch: https://github.com/LibRaw/LibRaw/commit/d13e8f6d1e987b7491182040a188c16a395f1d21 References: https://bugzilla.novell.com/show_bug.cgi?id=1058467
Created LibRaw tracking bugs for this issue: Affects: epel-6 [bug 1492125] Affects: fedora-all [bug 1492122] Created dcraw tracking bugs for this issue: Affects: fedora-all [bug 1492123] Created libkdcraw tracking bugs for this issue: Affects: fedora-all [bug 1492126] Created mingw-LibRaw tracking bugs for this issue: Affects: fedora-all [bug 1492127] Created rawtherapee tracking bugs for this issue: Affects: fedora-all [bug 1492124]
Hi I think the upstream commit referenced is not the correct one. For CVE-2017-14348 it should be https://github.com/LibRaw/LibRaw/commit/8303e74b0567806dd5f16fc39aab70fe928de1a2 Regards, Salvatore
The patch I have includes those changes, except for this, which doesn't apply. --- dcraw/dcraw.c +++ dcraw/dcraw.c @@ -7071,6 +7071,7 @@ void CLASS setCanonBodyFeatures (unsigned id) void CLASS processCanonCameraInfo (unsigned id, uchar *CameraInfo, unsigned maxlen) { ushort iCanonLensID = 0, iCanonMaxFocal = 0, iCanonMinFocal = 0, iCanonLens = 0, iCanonCurFocal = 0, iCanonFocalType = 0; + if(maxlen<16) return; // too short, so broken CameraInfo[0] = 0; CameraInfo[1] = 0; switch (id) { @@ -8631,7 +8632,7 @@ void CLASS parse_makernote_0xc634(int base, int uptag, unsigned dng_writer) { if (tag == 0x000d && len < 256000) // camera info { - CanonCameraInfo = (uchar*)malloc(len); + CanonCameraInfo = (uchar*)malloc(MAX(16,len)); fread(CanonCameraInfo, len, 1, ifp); lenCanonCameraInfo = len; } @@ -9496,7 +9497,7 @@ void CLASS parse_makernote (int base, int uptag) { if (tag == 0x000d && len < 256000) // camera info { - CanonCameraInfo = (uchar*)malloc(len); + CanonCameraInfo = (uchar*)malloc(MAX(16,len)); fread(CanonCameraInfo, len, 1, ifp); lenCanonCameraInfo = len; }
Created LibRaw tracking bugs for this issue: Affects: epel-6 [bug 1494406]