User: Password:
|
|
Subscribe / Log in / New account

Fedora alert FEDORA-2013-15576 (LibRaw)

From:  updates@fedoraproject.org
To:  package-announce@lists.fedoraproject.org
Subject:  [SECURITY] Fedora 18 Update: LibRaw-0.14.8-3.fc18.20120830git98d925
Date:  Mon, 09 Sep 2013 23:59:19 +0000
Message-ID:  <20130909235919.7777421DF1@bastion01.phx2.fedoraproject.org>
Archive-link:  Article, Thread

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-15576 2013-08-30 21:41:59 -------------------------------------------------------------------------------- Name : LibRaw Product : Fedora 18 Version : 0.14.8 Release : 3.fc18.20120830git98d925 URL : http://www.libraw.org Summary : Library for reading RAW files obtained from digital photo cameras Description : LibRaw is a library for reading RAW files obtained from digital photo cameras (CRW/CR2, NEF, RAF, DNG, and others). LibRaw is based on the source codes of the dcraw utility, where part of drawbacks have already been eliminated and part will be fixed in future. -------------------------------------------------------------------------------- Update Information: Raphael Geissert reported two denial of service flaws in LibRaw [1]: CVE-2013-1438: Specially crafted photo files may trigger a division by zero, an infinite loop, or a null pointer dereference in libraw leading to denial of service in applications using the library. These vulnerabilities appear to originate in dcraw and as such any program or library based on it is affected. To name a few confirmed applications: dcraw, ufraw. Other affected software: shotwell, darktable, and libkdcraw (Qt-style interface to libraw, using embedded copy) which is used by digikam. Google Picasa apparently uses dcraw/ufraw so it might be affected. dcraw's homepage has a list of applications that possibly still use it: http://cybercom.net/~dcoffin/dcraw/ Affected versions of libraw: confirmed: 0.8-0.15.3; but it is likely that all versions are affected. Fixed in: libraw 0.15.4 CVE-2013-1439: Specially crafted photo files may trigger a series of conditions in which a null pointer is dereferenced leading to denial of service in applications using the library. These three vulnerabilities are in/related to the 'faster LJPEG decoder', which upstream states was introduced in LibRaw 0.13 and support for which is going to be dropped in 0.16. Affected versions of libraw: 0.13.x-0.15.x -------------------------------------------------------------------------------- ChangeLog: * Fri Aug 30 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.8-3 - Update to snapshot 98d925 to fix CVE-2013-1438,9, BZ 1002717. * Wed May 29 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.8-2 - Patch for double free, CVE-2013-2126, BZ 968387. * Wed May 29 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.8-1 - Latest upstream, fixes gcc 4.8 issues. * Thu Apr 11 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.7-4 - Revert prior patch. * Thu Apr 11 2013 Jon Ciesla <limburgher@gmail.com> - 0.14.7-3 - Patch for segfault, BZ 948628. * Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.14.7-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild * Mon Nov 26 2012 Jon Ciesla <limburgher@gmail.com> - 0.14.7-1 - New upstream 0.14.7 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1002717 - CVE-2013-1439 CVE-2013-1438 LibRaw: multiple denial of service flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1002717 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update LibRaw' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-...


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds