Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2017-6886 CVE-2017-6887

Related Vulnerabilities: CVE-2017-6886   CVE-2017-6887  

Source

Debian Bug report logs - #864183
CVE-2017-6886 CVE-2017-6887

version graph

Package: src:libraw; Maintainer for src:libraw is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sun, 4 Jun 2017 21:33:01 UTC

Severity: grave

Tags: security

Fixed in versions libraw/0.16.0-9+deb8u3, libraw/0.18.2-2, libraw/0.18.2-1, libraw/0.14.6-2+deb7u2, libraw/0.17.2-6+deb9u1

Done: Luciano Bello <luciano@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/LibRaw/LibRaw/issues/90

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#864183; Package src:libraw. (Sun, 04 Jun 2017 21:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Sun, 04 Jun 2017 21:33:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2017-6886 CVE-2017-6887
Date: Sun, 04 Jun 2017 23:31:55 +0200
Source: libraw
Severity: grave
Tags: security

Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6886
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6887

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#864183; Package src:libraw. (Tue, 06 Jun 2017 11:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to David Bremner <david@tethera.net>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Tue, 06 Jun 2017 11:24:03 GMT) (full text, mbox, link).

Message #10 received at 864183@bugs.debian.org (full text, mbox, reply):

From: David Bremner <david@tethera.net>
To: 864183@bugs.debian.org
Subject: Re: [Pkg-phototools-devel] Bug#864183: CVE-2017-6886 CVE-2017-6887
Date: Tue, 06 Jun 2017 08:20:51 -0300
Moritz Muehlenhoff <jmm@debian.org> writes:

> Source: libraw
> Severity: grave
> Tags: security
>
> Please see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6886
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6887

I started to look at this, but gave up on (me) fixing it for the initial
stretch release.

1. Between the version in stretch and the version being patched,
upstream has run the 15k line dcraw.c through clang-format, which means
the patch referenced in the CVE would need to move about 2k lines to
apply :(.

2. As I started to try to hand apply upstream d7c3d2cb460be10, I
realized there are security related changes from some other commit

-      if (len > 2560000 || !(cbuf = (char *)malloc(len)))
+      if (len < 1 || len > 2560000 || !(cbuf = (char *)malloc(len)))

in particular the (len > 2560000) is not present in the code in stretch.

It seems to come from upstream commit 8d0935 [3 files changed, 208
insertions(+), 154 deletions(-)], which also would need hand applying,
or some other cleverness.

Marked as fixed in versions libraw/0.18.2-1. Request was from "Matteo F. Vescovi" <mfv@debian.org> to control@bugs.debian.org. (Tue, 06 Jun 2017 13:51:06 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/LibRaw/LibRaw/issues/90'. Request was from "Matteo F. Vescovi" <mfv@debian.org> to control@bugs.debian.org. (Tue, 06 Jun 2017 13:51:06 GMT) (full text, mbox, link).

Marked as fixed in versions libraw/0.18.2-2. Request was from "Matteo F. Vescovi" <mfv@debian.org> to control@bugs.debian.org. (Wed, 28 Jun 2017 10:45:03 GMT) (full text, mbox, link).

Marked as fixed in versions libraw/0.14.6-2+deb7u2. Request was from Matteo F. Vescovi <mfv@debian.org> to control@bugs.debian.org. (Mon, 14 Aug 2017 19:12:04 GMT) (full text, mbox, link).

Marked as fixed in versions libraw/0.16.0-9+deb8u3. Request was from Matteo F. Vescovi <mfv@debian.org> to control@bugs.debian.org. (Mon, 14 Aug 2017 19:12:06 GMT) (full text, mbox, link).

Reply sent to Luciano Bello <luciano@debian.org>:
You have taken responsibility. (Tue, 22 Aug 2017 00:57:03 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Tue, 22 Aug 2017 00:57:03 GMT) (full text, mbox, link).

Message #25 received at 864183-done@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>
To: 864183-done@bugs.debian.org
Subject: CVE-2017-6886 CVE-2017-6887
Date: Mon, 21 Aug 2017 20:30:24 -0400
Source: libraw
Source-Version: 0.17.2-6+deb9u1

Fixed by https://www.debian.org/security/2017/DSA-3950

/luciano

Reply sent to Luciano Bello <luciano@debian.org>:
You have taken responsibility. (Tue, 22 Aug 2017 01:21:03 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Tue, 22 Aug 2017 01:21:03 GMT) (full text, mbox, link).

Message #30 received at 864183-done@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>
To: 864183-done@bugs.debian.org
Subject: CVE-2017-6886 CVE-2017-6887
Date: Mon, 21 Aug 2017 20:29:50 -0400
Source: libraw
Source-Version: 0.16.0-9+deb8u3

Fixed by https://www.debian.org/security/2017/DSA-3950

/luciano

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Oct 2017 07:32:39 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:13:15 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started