Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libraw: CVE-2015-8366 CVE-2015-8367

Related Vulnerabilities: CVE-2015-8366   CVE-2015-8367  

Source

Debian Bug report logs - #806809
libraw: CVE-2015-8366 CVE-2015-8367

version graph

Package: src:libraw; Maintainer for src:libraw is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 1 Dec 2015 19:09:06 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version libraw/0.17.0-1

Fixed in version libraw/0.17.1-1

Done: mfv@debian.org (Matteo F. Vescovi)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Shotwell Maintainers <pkg-shotwell-maint@lists.alioth.debian.org>:
Bug#806809; Package src:libraw. (Tue, 01 Dec 2015 19:09:10 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Shotwell Maintainers <pkg-shotwell-maint@lists.alioth.debian.org>. (Tue, 01 Dec 2015 19:09:10 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libraw: CVE-2015-8366 CVE-2015-8367
Date: Tue, 01 Dec 2015 20:04:47 +0100
Source: libraw
Version: 0.17.0-1
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerabilities were published for libraw.

CVE-2015-8366[0]:
Index overflow in smal_decode_segment

CVE-2015-8367[1]:
Memory objects are not intialized properly

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8366
[1] https://security-tracker.debian.org/tracker/CVE-2015-8367
[2] https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2
[3] http://seclists.org/fulldisclosure/2015/Nov/108

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to mfv@debian.org (Matteo F. Vescovi):
You have taken responsibility. (Thu, 03 Dec 2015 21:39:04 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 03 Dec 2015 21:39:04 GMT) (full text, mbox, link).

Message #10 received at 806809-close@bugs.debian.org (full text, mbox, reply):

From: mfv@debian.org (Matteo F. Vescovi)
To: 806809-close@bugs.debian.org
Subject: Bug#806809: fixed in libraw 0.17.1-1
Date: Thu, 03 Dec 2015 21:36:06 +0000
Source: libraw
Source-Version: 0.17.1-1

We believe that the bug you reported is fixed in the latest version of
libraw, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 806809@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matteo F. Vescovi <mfv@debian.org> (supplier of updated libraw package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 03 Dec 2015 21:19:12 +0100
Source: libraw
Binary: libraw15 libraw-bin libraw-dev libraw-doc
Architecture: source
Version: 0.17.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Shotwell Maintainers <pkg-shotwell-maint@lists.alioth.debian.org>
Changed-By: Matteo F. Vescovi <mfv@debian.org>
Description:
 libraw-bin - raw image decoder library (tools)
 libraw-dev - raw image decoder library (development files)
 libraw-doc - raw image decoder library (documentation)
 libraw15   - raw image decoder library
Closes: 806809
Changes:
 libraw (0.17.1-1) unstable; urgency=high
 .
   * New upstream release (Closes: #806809)
     - Fix CVE-2015-8366 and CVE-2015-8367
Checksums-Sha1:
 6fe032deee25f4b103af9b02156b7b6f0e21f93c 2300 libraw_0.17.1-1.dsc
 b988ebe060eef446f3cf237ad7858e149cfd99c6 689407 libraw_0.17.1.orig.tar.gz
 ed6071e64b7f8b7cf208b81c618c69a0e2828d4e 25904 libraw_0.17.1-1.debian.tar.xz
Checksums-Sha256:
 b44d733077c7760d1ebe5bd9ec6d8e55cae21ac819431d2e2419b576e59e1ca2 2300 libraw_0.17.1-1.dsc
 dd07861ea3b9739c61c50d5e8a5dfedd738f4765962104c120dd8ea2dc2e3491 689407 libraw_0.17.1.orig.tar.gz
 9b4e258ed34cc12470f0ffe47b16f6258362ad2b8e6195b80d6a0059e234fa20 25904 libraw_0.17.1-1.debian.tar.xz
Files:
 80ff3154d5ba542564c1b5c3928cb269 2300 libs optional libraw_0.17.1-1.dsc
 db1e2b770e0913361e6165ad89ae7ee2 689407 libs optional libraw_0.17.1.orig.tar.gz
 39025b24b55aa067b8976d20fc81c117 25904 libs optional libraw_0.17.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Comment: Debian powered!

iQJ8BAEBCgBmBQJWYKR+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGM0REMDlGOERBODdEMURGNTA0NkM5OUIw
NjEyRjQ5NDRFQ0RDRDVBAAoJEAYS9JROzc1aMugP/ii5934RP/cG6xT5XquE+S95
QKBUV10FyakJDE5I6TL1RJVYRXtR0ALxV3qn+6xvEEB5L1kVt/lcVucqYj29w+JB
5W6Otk/Cfry0i5xokrJvp9bcgDFbal8YiJZxfJxUf21kYLgy5uJ28Cdm7TjPzrT0
Dl6VEaUxXFVYeY/Z+9EPur5kjVsPuXfpy0/pd5zX7BbGOwZ77EOlzuz6TRRsE562
gpdHMJmDVpqeUOTXpNJg1TdR6dsu4frg8t7+kNRc6/iRlcS5iBYZaW4n13myMzg3
U8gpryg1Io1vr2UMo4aBXOk0LAgl2Ysf0tTCECnOEZE4d8rKueB8Jq90a9wHr2PO
dmG2g4QVU0Ohl5PEmA3xrwboUNOsNHEERimFsWKPhefSaloRKyMe9g9rGdtzcDGy
TfiK7jqIKtU6D3bVqpotIxdQN/699N13mf28wRRs5UmR5bnnhjTkKRzK3RqSZtZZ
zo6SgPJYAtokXbuScP56sRMHB6q12HN+isDNA2c+Kir/mt9H3QmAQiNu7E/5Tfdf
5uGdxMMU1++AjtAlLdjGoQRhPT+hoKaiv2Ox8nP75h/HaMrLOr38EhE0CsCGhHT6
FmFfjNe1Lt8WelZ5ufPV6/XLEVCg0Co6kiuQRxZpvQHplr40IxgzEt1oDGdt3o/Z
zFM0KA3WuAw5D4T75grg
=om+D
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 01 Jan 2016 07:25:29 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:34:32 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started