Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <updates <at> fedoraproject.org>
Subject: [SECURITY] Fedora 18 Update: LibRaw-0.14.8-3.fc18.20120830git98d925
Newsgroups: gmane.linux.redhat.fedora.package.announce
Date: Monday 9th September 2013 23:59:19 UTC (over 3 years ago)
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-15576
2013-08-30 21:41:59
--------------------------------------------------------------------------------

Name        : LibRaw
Product     : Fedora 18
Version     : 0.14.8
Release     : 3.fc18.20120830git98d925
URL         : http://www.libraw.org
Summary     : Library for reading RAW files obtained from digital photo
cameras
Description :
LibRaw is a library for reading RAW files obtained from digital photo
cameras (CRW/CR2, NEF, RAF, DNG, and others).

LibRaw is based on the source codes of the dcraw utility, where part of
drawbacks have already been eliminated and part will be fixed in future.

--------------------------------------------------------------------------------
Update Information:

Raphael Geissert reported two denial of service flaws in LibRaw [1]:

CVE-2013-1438:

Specially crafted photo files may trigger a division by zero, an
infinite loop, or a null pointer dereference in libraw leading to
denial of service in applications using the library.
These vulnerabilities appear to originate in dcraw and as such any
program or library based on it is affected. To name a few confirmed
applications: dcraw, ufraw. Other affected software: shotwell,
darktable, and libkdcraw (Qt-style interface to libraw, using embedded
copy) which is used by digikam.

Google Picasa apparently uses dcraw/ufraw so it might be affected.
dcraw's homepage has a list of applications that possibly still use
it:
http://cybercom.net/~dcoffin/dcraw/

Affected versions of libraw: confirmed: 0.8-0.15.3; but it is likely
that all versions are affected.

Fixed in: libraw 0.15.4

CVE-2013-1439:

Specially crafted photo files may trigger a series of conditions in
which a null pointer is dereferenced leading to denial of service in
applications using the library. These three vulnerabilities are
in/related to the 'faster LJPEG decoder', which upstream states was
introduced in LibRaw 0.13 and support for which is going to be dropped
in 0.16.

Affected versions of libraw: 0.13.x-0.15.x
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug 30 2013 Jon Ciesla  - 0.14.8-3
- Update to snapshot 98d925 to fix CVE-2013-1438,9, BZ 1002717.
* Wed May 29 2013 Jon Ciesla  - 0.14.8-2
- Patch for double free, CVE-2013-2126, BZ 968387.
* Wed May 29 2013 Jon Ciesla  - 0.14.8-1
- Latest upstream, fixes gcc 4.8 issues.
* Thu Apr 11 2013 Jon Ciesla  - 0.14.7-4
- Revert prior patch.
* Thu Apr 11 2013 Jon Ciesla  - 0.14.7-3
- Patch for segfault, BZ 948628.
* Wed Feb 13 2013 Fedora Release Engineering
 - 0.14.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Mon Nov 26 2012 Jon Ciesla  - 0.14.7-1
- New upstream 0.14.7
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1002717 - CVE-2013-1439 CVE-2013-1438 LibRaw: multiple denial
of service flaws [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1002717
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update LibRaw' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on
the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/package-announce
 
CD: 3ms