Bug 823114 - (CVE-2013-2126) VUL-0: darktable: CVE-2013-2126: double-free issue in embed copy of libraw
(CVE-2013-2126)
VUL-0: darktable: CVE-2013-2126: double-free issue in embed copy of libraw
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-04 09:20 UTC by Alexander Bergmann
Modified: 2015-02-19 01:20 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-06-04 09:20:34 UTC
The darktable has an embedded copy of libraw. 

A security incident for libraw was started in bnc#822665.
Comment 1 Swamp Workflow Management 2013-06-04 16:00:29 UTC
bugbot adjusting priority
Comment 3 Togan Muftuoglu 2013-06-06 03:35:54 UTC
Based on the discussion of the topic in darktable-devel mailinglist [1] darktable is not vulnarable as the libraw in darktable is not updated to 15.0+ 

[1] http://tinyurl.com/kj46jcg
Comment 4 Alexander Bergmann 2013-06-10 04:11:46 UTC
If I'm not mistaken the affected libraw lines were introduced with commit 1a8e92ff, and that was actually part of 0.14.0.

I'll try to verify this with the libraw guys.
Comment 5 Togan Muftuoglu 2013-06-10 05:50:10 UTC
Hi,

On the darktable-devel list it was mentioned that the c14ae38 commit of the libraw (0.14-stable branch) has been integrated to darktarble. If that solves the security bug I will backport the patch for our darktable packages
Comment 6 Alexander Bergmann 2013-06-10 06:15:51 UTC
Sorry, I couldn't find commit c14ae38 inside the 0.14-stable branch. What I found was commit c14ae36, so maybe it was just a typo.

...

Yes, it was a typo. :)

+2013-05-31 Alex Tutubalin <lexa@lexa.ru>
+       * Fixed double call to free() on broken legacy-layout images
+         (backport from 0.15.x)

So from my point of view it should be sufficient if you could backport that patch to our darktable package.
Comment 7 Togan Muftuoglu 2013-06-10 06:27:43 UTC
Ooops sorry for the typo.

I will fix darktable
Comment 8 Benjamin Brunner 2013-06-10 07:25:20 UTC
Changed needinfo to our security-team.
Comment 9 Bernhard Wiedemann 2013-06-10 08:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (823114) was mentioned in
https://build.opensuse.org/request/show/178381 Maintenance /
Comment 10 Bernhard Wiedemann 2013-06-10 09:00:34 UTC
This is an autogenerated message for OBS integration:
This bug (823114) was mentioned in
https://build.opensuse.org/request/show/178389 Factory / darktable
Comment 11 Alexander Bergmann 2013-06-10 09:13:51 UTC
Togan, please include the CVE number inside the changes file and resubmit.
Comment 12 Togan Muftuoglu 2013-06-10 09:29:03 UTC
done sr#178409
Comment 13 Bernhard Wiedemann 2013-06-10 10:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (823114) was mentioned in
https://build.opensuse.org/request/show/178409 Maintenance /
Comment 14 Togan Muftuoglu 2013-06-25 02:39:46 UTC
With the factory request mentioned in Comment 12 the issue should be resolved
Comment 15 Alexander Bergmann 2013-06-25 03:05:49 UTC
Looks good to me. Reassigning to security-team. 

openSUSE 12.2 and 12.3 updates will be released soon.
Comment 16 Swamp Workflow Management 2013-06-26 08:04:22 UTC
openSUSE-SU-2013:1083-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 823114
CVE References: CVE-2013-2126
Sources used:
openSUSE 12.3 (src):    darktable-1.1.3-1.5.3, darktable-1.1.3-1.5.4
openSUSE 12.2 (src):    darktable-1.0.5-3.9.3