Bugzilla – Bug 822665
VUL-0: CVE-2013-2126 CVE-2013-2127: libraw: multiple issues
Last modified: 2013-09-30 11:35:21 UTC
via oss-sec From: Raphael Geissert <geissert@debian.org> Subject: [oss-security] CVE request: libraw: multiple issues Date: Tue, 28 May 2013 10:43:48 +0200 Hi, From [1]: > LibRaw 0.15.1 (26-05-2013) This should be 0.15.2 > > Fixed possible double-free() on error recovery on damaged full-color (Foveon, sRAW) files. > wchar_t* file interface disabled for MinGW32 compilation > > LibRaw 0.15.1 (24-05-2013) > > fixed wrong data maximum calculation for Panasonic files > check for possible buffer overrun in exposure correction code So there's a double-free (fixed in 0.15.2[3]) and a buffer overflow (fixed in 0.15.1[2]). Could CVE ids be assigned please? References: [1]http://www.libraw.org/download [2]http://www.libraw.org/news/libraw-0-15-1 [3]http://www.libraw.org/news/libraw-0-15-2 http://secunia.com/advisories/53547/ Cheers, -- Raphael Geissert - Debian Developer
via Kurt: > https://github.com/LibRaw/LibRaw/commit/19ffddb0fe1a4ffdb459b797ffcf7f490d28b5a6 Please use CVE-2013-2126 for this issue. >>> and a buffer overflow (fixed in 0.15.1[2]). > > https://github.com/LibRaw/LibRaw/commit/2f912f5b33582961b1cdbd9fd828589f8b78f21d Please use CVE-2013-2127 for this issue.
(opensuse only apparently)
bugbot adjusting priority
Two packages were found that embed a copy of libraw in their sources. bnc#823113 - libkdcraw bnc#823114 - darktable
CVE-2013-2126 seems to affect 12.3 (libraw 0.14.7), but not 12.2 (libraw 0.13.5).
CVE-2013-2127 affects only 0.15.x: https://bugzilla.redhat.com/show_bug.cgi?id=968382#c5 So 12.3 nor 12.2 is affected by CVE-2013-2127.
See mr#178944.
openSUSE-SU-2013:1085-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 822665 CVE References: CVE-2013-2126 Sources used: openSUSE 12.3 (src): libraw-0.14.7-3.4.1, libraw-0.14.7-3.4.2
Closing as fixed.