In LibRaw, there is an out-of-bounds read vulnerability within the "LibRaw::parseSonySRF()" function (libraw\src\metadata\sony.cpp) when processing srf files. Upstream issue: https://github.com/LibRaw/LibRaw/issues/283 Upstream fix: https://github.com/LibRaw/LibRaw/commit/c243f4539233053466c1309bde606815351bee81
What's the severity of this CVE? Moderate? For what it's worth, this CVE neither affects the LibRaw package in Fedora (F >= 35 has 0.20.2) nor in RHEL 9 (has 0.20.2). I didn't check packages that carry other copies of the same code (eg., dcraw).