A flaw was found in LibRaw versions prior to 0.18.9. An error within the "find_green()" function (internal/dcraw_common.cpp) can be exploited to cause a stack-based buffer overflow and subsequently execute arbitrary code.
Created LibRaw tracking bugs for this issue:
Affects: epel-6 [bug 1661519]
Increase Impact of the flaw to Important and set C:H/I:H/A:H because arbitrary code execution may be possible on affected versions.
RHEL 7 is not affected by this flaw because the attacker does not have control over the width field as find_green() function is always called after hardcoding values in width/height fields that are less then 2064.
On the affected versions, function find_green() in internal/dcraw_common.cpp does not correctly check the "width" value, which is used to read/write from/to an array of 2064 elements. By providing a specially crafted image that is able to reach the find_green() function with a width greater than 2064, an attacker could overwrite data on the stack and execute arbitrary code.
This issue did not affect the versions of LibRaw as shipped with Red Hat Enterprise Linux 7 as it does not allow an attacker enough control to corrupt the internal state.