Bug 822665 - VUL-0: CVE-2013-2126 CVE-2013-2127: libraw: multiple issues
VUL-0: CVE-2013-2126 CVE-2013-2127: libraw: multiple issues
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-31 14:42 UTC by Marcus Meissner
Modified: 2013-09-30 11:35 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-05-31 14:42:10 UTC
via oss-sec

From: Raphael Geissert <geissert@debian.org>
Subject: [oss-security] CVE request: libraw: multiple issues
Date: Tue, 28 May 2013 10:43:48 +0200

Hi,

From [1]:
> LibRaw 0.15.1 (26-05-2013)
This should be 0.15.2
>
> Fixed possible double-free() on error recovery on damaged full-color (Foveon, sRAW) files.
> wchar_t* file interface disabled for MinGW32 compilation
>
> LibRaw 0.15.1 (24-05-2013)
>
> fixed wrong data maximum calculation for Panasonic files
> check for possible buffer overrun in exposure correction code

So there's a double-free (fixed in 0.15.2[3]) and a buffer overflow
(fixed in 0.15.1[2]).

Could CVE ids be assigned please?

References:
[1]http://www.libraw.org/download
[2]http://www.libraw.org/news/libraw-0-15-1
[3]http://www.libraw.org/news/libraw-0-15-2
http://secunia.com/advisories/53547/

Cheers,
--
Raphael Geissert - Debian Developer
Comment 1 Marcus Meissner 2013-05-31 14:42:55 UTC
via Kurt:

> https://github.com/LibRaw/LibRaw/commit/19ffddb0fe1a4ffdb459b797ffcf7f490d28b5a6

Please use CVE-2013-2126 for this issue.

>>> and a buffer overflow (fixed in 0.15.1[2]).
> 
> https://github.com/LibRaw/LibRaw/commit/2f912f5b33582961b1cdbd9fd828589f8b78f21d

Please use CVE-2013-2127 for this issue.
Comment 2 Marcus Meissner 2013-05-31 14:43:21 UTC
(opensuse only apparently)
Comment 3 Swamp Workflow Management 2013-05-31 22:00:53 UTC
bugbot adjusting priority
Comment 4 Alexander Bergmann 2013-06-04 09:25:20 UTC
Two packages were found that embed a copy of libraw in their sources.

bnc#823113 - libkdcraw
bnc#823114 - darktable
Comment 5 Petr Gajdos 2013-06-13 06:29:43 UTC
CVE-2013-2126 seems to affect 12.3 (libraw 0.14.7), but not 12.2 (libraw 0.13.5).
Comment 6 Petr Gajdos 2013-06-14 02:58:06 UTC
CVE-2013-2127 affects only 0.15.x:
https://bugzilla.redhat.com/show_bug.cgi?id=968382#c5

So 12.3 nor 12.2 is affected by CVE-2013-2127.
Comment 7 Petr Gajdos 2013-06-14 03:54:03 UTC
See mr#178944.
Comment 8 Swamp Workflow Management 2013-06-26 08:04:49 UTC
openSUSE-SU-2013:1085-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 822665
CVE References: CVE-2013-2126
Sources used:
openSUSE 12.3 (src):    libraw-0.14.7-3.4.1, libraw-0.14.7-3.4.2
Comment 9 Alexander Bergmann 2013-09-30 11:35:21 UTC
Closing as fixed.