Bug 837750 - (CVE-2013-1438) VUL-1: CVE-2013-1438 CVE-2013-1439: libraw: multiple denial of service flaws
(CVE-2013-1438)
VUL-1: CVE-2013-1438 CVE-2013-1439: libraw: multiple denial of service flaws
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Thomas Renninger
Security Team bot
CVSSv3.1:SUSE:CVE-2013-1438:4.0:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-30 08:50 UTC by Matthias Weckbecker
Modified: 2021-05-31 16:42 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2013-08-30 08:50:51 UTC
Specially crafted images could cause Denial of Service issues (looks like CPU
consumption rather than crash).

Commits:

  - https://github.com/LibRaw/LibRaw/commit/11909c
  - https://github.com/LibRaw/LibRaw/commit/9ae25d
Comment 1 Matthias Weckbecker 2013-08-30 08:51:23 UTC
I think the following CVE were assigned:

  * CVE-2013-1438, and 
  * CVE-2013-1439
Comment 2 Swamp Workflow Management 2013-08-30 22:00:18 UTC
bugbot adjusting priority
Comment 3 Thomas Renninger 2013-09-02 12:31:13 UTC
Do we really need to release a maintenance update for this:
> looks like CPU consumption rather than crash

The patches are rather big. I would definitely not change the CFLAGS and similar stuff which were commented out in the patch.

I could add the
throw LIBRAW_EXCEPTION_IO_CORRUPT;
parts, but I won't be able to test this.
It also is not clear in which product this is needed (SLE11 SP3?).
Comment 4 Matthias Weckbecker 2013-09-17 10:34:44 UTC
We always fix all maintained and affected products.
Comment 5 Marcus Meissner 2013-10-04 13:14:28 UTC
no need for immediate action, we have it only on the planned updates list for collective updates later
Comment 6 Marcus Meissner 2013-10-04 13:16:59 UTC
(is this really for Thomas who does libraw1394 , a firewire lirbary?

or more for Petr Gajdos, who does libraw? ;)
Comment 7 Thomas Renninger 2014-12-15 16:53:35 UTC
I am closing this bug now.
It's more than a year old, rated low and probably fixed mainline for quite a while.