In LibRaw, an out-of-bounds read vulnerability exists within the get_huffman_diff() function (libraw\src\x3f\x3f_utils_patched.cpp) when reading data from an image file. Upstream issue: https://github.com/LibRaw/LibRaw/issues/270 Upstream fix: https://github.com/LibRaw/LibRaw/commit/d75af00681a74dcc8b929207eb895611a6eceb68
What's the severity of this CVE? Moderate? For what it's worth, this CVE neither affects the LibRaw package in Fedora (F >= 35 has 0.20.2) nor in RHEL 9 (has 0.20.2). I didn't check packages that carry other copies of the same code (eg., dcraw).
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35531