Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 11 May 2015 15:59:55 +0200
From: Andrea Barisani <>
Subject: [oCERT-2015-006] dcraw input sanitization errors

#2015-006 dcraw input sanitization errors


The dcraw photo decoder is an open source project for raw image parsing.

The dcraw tool, as well as several other projects re-using its code, suffers
from an integer overflow condition which lead to a buffer overflow. The
vulnerability concerns the 'len' variable, parsed without validation from
opened images, used in the ljpeg_start() function.

A maliciously crafted raw image file can be used to trigger the vulnerability,
causing a Denial of Service condition.

Affected version:

   dcraw >= 7.00
   UFRaw >= 0.5
   LibRaw <= 0.16.0, 0.17-Alpha2
   RawTherapee >= 3.0
   CxImage >= 6.00
   Rawstudio >= 0.1
   Kodi >= 10.0
   ExactImage >= 0.1.0

Fixed version:

   dcraw, N/A
   UFRaw, N/A
   LibRaw >= 0.16.1, 0.17-Alpha3
   RawTherapee, N/A
   CxImage, N/A
   Rawstudio, N/A
   Kodi, N/A
   ExactImage, N/A

Credit: vulnerability report from Eduardo Castellanos <guayin [at] gmail [dot]



2015-04-24: vulnerability report received
2015-04-27: contacted dcraw maintainer
2015-04-30: patch provided by maintainer
2015-05-04: reporter confirms patch
2015-05-11: contacted additional affected vendors
2015-05-11: advisory release



Andrea Barisani |                Founder & Project Coordinator
          oCERT | OSS Computer Security Incident Response Team

 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ