Date: Thu, 29 Aug 2013 11:55:35 +0200 From: Raphael Geissert <atomo64@...il.com> To: oss-security@...ts.openwall.com Subject: [notification] libraw: multiple denial of service vulnerabilities Hi, During a review for EDF I found a few denial of service vulnerabilities in LibRaw. CVE-2013-1438: Specially crafted photo files may trigger a division by zero, an infinite loop, or a null pointer dereference in libraw leading to denial of service in applications using the library. These vulnerabilities appear to originate in dcraw and as such any program or library based on it is affected. To name a few confirmed applications: dcraw, ufraw. Other affected software: shotwell, darktable, and libkdcraw (Qt-style interface to libraw, using embedded copy) which is used by digikam. Google Picasa apparently uses dcraw/ufraw so it might be affected. dcraw's homepage has a list of applications that possibly still use it: http://cybercom.net/~dcoffin/dcraw/ Affected versions of libraw: confirmed: 0.8-0.15.3; but it is likely that all versions are affected. (not listing all the other applications as I'm only considering libraw as the piece with CVE relevance, given the fact that it is a library.) Fixed in: libraw 0.15.4 CVE-2013-1439: Specially crafted photo files may trigger a series of conditions in which a null pointer is dereferenced leading to denial of service in applications using the library. These three vulnerabilities are in/related to the 'faster LJPEG decoder', which upstream states was introduced in LibRaw 0.13 and support for which is going to be dropped in 0.16. Affected versions of libraw: 0.13.x-0.15.x Fixed in: libraw 0.15.4 Patches: 0.15.x: https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad Future 0.16.x: https://github.com/LibRaw/LibRaw/commit/9ae25d8c3a6bfb40c582538193264f74c9b93bc0 (upstream decided to commit all fixes in a single commit. The missing changes in the patch for 0.16 are the ones that correspond to CVE-2013-4139. I.e. 0.16 patchset is CVE-2013-1438, while the 0.15 patchset is CVE-2013-4138 + CVE-2013-4139.) Upstream states that there will be backported fixes for the 0.14 branch but there won't be any new release and "[they] should use 0.14-stable branch from github repo". BCC'ing Dave Coffin, author of dcraw. I would like to thank upstream, Alex Tutubalin, for his cooperation. Cheers, -- Raphael Geissert
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.