Bugzilla – Bug 1084688
VUL-1: CVE-2018-5802 libraw: Out-of-bounds read in kodak_radc_load_raw function internal/dcraw_common.cpp
Last modified: 2019-05-01 14:08:00 UTC
rh#1553335 An error within the "kodak_radc_load_raw()" function (internal/dcraw_common.cpp) related to the "buf" variable can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. References: https://packetstormsecurity.com/files/146172/secunia-libraw.txt References: https://bugzilla.redhat.com/show_bug.cgi?id=1553335 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5802
No testcase found.
This seems to be SA#79000, or so it is referenced in git commit change log at least. Upstream fixes this SA as a whole, I will fix it so as well. https://github.com/LibRaw/LibRaw/commit/4cb60a6c8f1ec54e51e805d94213f4d49d6118f6 I will exclude dcraw.c, see bug 1060163 comment 6. I will also include fix for SA#81000. Affected: 42.3/libraw, 12/libraw
Packages submitted, I believe all fixed.
This is an autogenerated message for OBS integration: This bug (1084688) was mentioned in https://build.opensuse.org/request/show/585853 42.3 / libraw
openSUSE-SU-2018:0731-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1084688,1084690,1084691 CVE References: CVE-2018-5800,CVE-2018-5801,CVE-2018-5802 Sources used: openSUSE Leap 42.3 (src): libraw-0.17.1-17.1
SUSE-SU-2018:3343-1: An update that fixes 5 vulnerabilities is now available. Category: security (low) Bug References: 1084688,1084690,1084691,1103200,1103353 CVE References: CVE-2018-5800,CVE-2018-5801,CVE-2018-5802,CVE-2018-5810,CVE-2018-5813 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): libraw-0.15.4-21.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libraw-0.15.4-21.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libraw-0.15.4-21.1
released