LibRaw versions prior to 0.18.12 are vulnerable to an integer overflow in the internal/dcraw_common.cpp:parse_qt() function. An attacker could exploit this to cause an infinite loop via a specially crafted Apple QuickTime file. Reference: http://seclists.org/bugtraq/2018/Jul/58
Created LibRaw tracking bugs for this issue: Affects: fedora-all [bug 1610152] Created mingw-LibRaw tracking bugs for this issue: Affects: fedora-all [bug 1610153]
Created LibRaw tracking bugs for this issue: Affects: epel-6 [bug 1610161]
This looks like the patch: https://github.com/LibRaw/LibRaw/commit/4554e24ce24beaef5d0ef48372801cfd91039076
Introduced via: https://github.com/LibRaw/LibRaw/commit/05f1585e8f130b958e3a921d70acfd9656d45c35 This is not in RHEL7.
Statement: This issue did not affect the versions of LibRaw as shipped with Red Hat Enterprise Linux 7.
This was fixed in LibRaw 0.19.0-Beta6 and 0.18.12