Bugzilla – Bug 1120499
VUL-1: CVE-2018-20364: libraw: LibRaw:copy_bayer in libraw_cxx.cpp has a NULL pointer dereference
Last modified: 2021-09-27 16:40:21 UTC
LibRaw::copy_bayer in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointer dereference. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20364 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20364.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20364 https://github.com/LibRaw/LibRaw/issues/194
According to a comment from the usptream issue [1] we might not be affected by this, since only a development branch was affected. However there were some backports for the 0.18.x branch for similar issues. Petr, do you think this is relevant and applicable for us? [1]: https://github.com/LibRaw/LibRaw/issues/195#issuecomment-449730837
TW/libraw $ postprocessing_benchmark 1111 Processing file 1111 2.1 msec for unpack Performance: 0.32 Mpix/sec File: 1111, Frame: 0 0.0 total Mpix, 25.9 msec Params: WB=default Highlight=0 Qual=-1 HalfSize=No Median=0 Wavelet=0 Crop: 0-0:32x257, active Mpix: 0.01, 38.6 frames/sec $ [no asan report] 15/libraw $ postprocessing_benchmark 1111 Processing file 1111 Cannot open_file 1111: Unsupported file format or not RAW file $ [no asan report] 12/libraw $ postprocessing_benchmark 1111 Processing file 1111 4.3 msec for unpack Performance: 1.32 Mpix/sec File: 1111, Frame: 0 0.0 total Mpix, 6.2 msec Params: WB=default Highlight=0 Qual=-1 HalfSize=No Median=0 Wavelet=0 Crop: 0-0:32x257, active Mpix: 0.01, 160.3 frames/sec $ [no asan report] Upstream assumes this is fixed in https://github.com/LibRaw/LibRaw/commit/7903346bfd5f8c24e5bfd4df48f0e5cd1e7b65cb which is already part of the fix for CVE-2018-20365, which was ported into all maintained code streams.
Will submit for 15,12/libraw.
I believe all fixed.
Info provided.
SUSE-SU-2019:0127-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1120498,1120499,1120500,1120515,1120516,1120517 CVE References: CVE-2018-20363,CVE-2018-20364,CVE-2018-20365,CVE-2018-5817,CVE-2018-5818,CVE-2018-5819 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP4 (src): libraw-0.15.4-30.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): libraw-0.15.4-30.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): libraw-0.15.4-30.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libraw-0.15.4-30.1 SUSE Linux Enterprise Desktop 12-SP4 (src): libraw-0.15.4-30.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libraw-0.15.4-30.1
SUSE-SU-2019:0133-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1120498,1120499,1120500,1120515,1120516,1120517,1120519 CVE References: CVE-2018-20337,CVE-2018-20363,CVE-2018-20364,CVE-2018-20365,CVE-2018-5817,CVE-2018-5818,CVE-2018-5819 Sources used: SUSE Linux Enterprise Workstation Extension 15 (src): libraw-0.18.9-3.8.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): libraw-0.18.9-3.8.1
openSUSE-SU-2019:0094-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1120498,1120499,1120500,1120515,1120516,1120517,1120519 CVE References: CVE-2018-20337,CVE-2018-20363,CVE-2018-20364,CVE-2018-20365,CVE-2018-5817,CVE-2018-5818,CVE-2018-5819 Sources used: openSUSE Leap 15.0 (src): libraw-0.18.9-lp150.2.6.1
done
This is an autogenerated message for OBS integration: This bug (1120499) was mentioned in https://build.opensuse.org/request/show/921823 Factory / libraw