Bug 823113 - VUL-0: libkdcraw: CVE-2013-2126: double-free issue in embed copy of libraw
VUL-0: libkdcraw: CVE-2013-2126: double-free issue in embed copy of libraw
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Raymond Wooninck
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-06-04 09:20 UTC by Alexander Bergmann
Modified: 2013-07-10 11:22 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-06-04 09:20:27 UTC
The libkdcraw has an embedded copy of libraw. 

A security incident for libraw was started in bnc#822665.
Comment 1 Swamp Workflow Management 2013-06-04 16:00:12 UTC
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2013-07-01 17:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (823113) was mentioned in
https://build.opensuse.org/request/show/181646 Maintenance /
Comment 4 Raymond Wooninck 2013-07-01 17:02:38 UTC
I have issued a maintenance update for 12.2 to include the fix in libkdcraw.  The fix for libkdcraw in 12.3 will be delivered together with the KDE 4.10.5 maintenance update (which is ready in KDE:Release:410, but not yet released). 

Factory and KDE:Distro:Factory will not require the fix, as that there the libraw inside libkdcraw has been updated to the 0.15.2 release.
Comment 5 Sebastian Krahmer 2013-07-02 11:24:39 UTC
There is already a submit: 181646, what about this?

It seems to miss the patch filename as required by OBS guildelines,
so will be dropped anyway.
Comment 6 Raymond Wooninck 2013-07-02 11:32:08 UTC
Euh ??  

libkdcraw is following KDE release versions, so the version in 12.2 is 4.8,5 and the one in 12.3 is currently 4.10.3.  That is why I submitted the initial request 181646 as that this covers ONLY the 12.2 libkdcraw with the version 4.8.5. 

The update for 12.3 will come together with the update to KDE 4.10.5. 

What is wrong with the patch filename ??  I never heard about a specific naming convention for patches. But if you are going to drop the submit request, then also close this bugreport.
Comment 7 Marcus Meissner 2013-07-02 12:51:17 UTC
The name is not wrong, it just needs be mentioned. :)

The opensuse review team requires to mention the patchfilename in the .changes entries these days for Factory and Maintenance submissions.

so basically just include "bnc823113.diff" in the changes entry line.
Comment 8 Raymond Wooninck 2013-07-02 13:01:30 UTC
Thanks Marcus,

That explains it :-)  I thought that I mentioned the patch, but the only thing I included in the changes file was the bug reference. 

Apologies for this and I just submitted a new update. You can drop the old SR.
Comment 9 Raymond Wooninck 2013-07-02 13:05:23 UTC
The new request is SR#181753.  Please only accept for openSUSE_12.2:Update
Comment 10 Sebastian Krahmer 2013-07-02 15:06:26 UTC
12.2 and 12.3 are in one request, I am not sure I could
only accept 12.2 out of it.
Comment 11 Marcus Meissner 2013-07-02 15:20:40 UTC

- accept request as usual

- osc rdelete openSUSE:Maintenance:1834 libkdcraw.openSUSE_12.3_Update -m ok

- osc meta prj -e openSUSE:Maintenance:1834

  .. delete thje 12.3 repos

(did that already ;)
Comment 12 Swamp Workflow Management 2013-07-10 08:04:19 UTC
openSUSE-SU-2013:1168-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 823113
CVE References: CVE-2013-2126
Sources used:
openSUSE 12.2 (src):    libkdcraw-4.8.5-2.8.1
Comment 13 Marcus Meissner 2013-07-10 11:22:27 UTC