Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libraw: CVE-2018-10529

Related Vulnerabilities: CVE-2018-10529   CVE-2018-10528  

Source

Debian Bug report logs - #897186
libraw: CVE-2018-10529

version graph

Package: src:libraw; Maintainer for src:libraw is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 29 Apr 2018 15:39:04 UTC

Severity: important

Tags: patch, security, upstream

Found in version libraw/0.18.8-2

Fixed in version libraw/0.18.11-1

Done: mfv@debian.org (Matteo F. Vescovi)

Bug is archived. No further changes may be made.

Forwarded to https://github.com/LibRaw/LibRaw/issues/144

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#897186; Package src:libraw. (Sun, 29 Apr 2018 15:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Sun, 29 Apr 2018 15:39:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libraw: CVE-2018-10529
Date: Sun, 29 Apr 2018 17:36:25 +0200
Source: libraw
Version: 0.18.8-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/LibRaw/LibRaw/issues/144

Hi,

The following vulnerability was published for libraw.

CVE-2018-10529[0]:
| An issue was discovered in LibRaw 0.18.9. There is an out-of-bounds
| read affecting the X3F property table list implementation in
| libraw_x3f.cpp and libraw_cxx.cpp.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10529
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10529
[1] https://github.com/LibRaw/LibRaw/issues/144
[2] https://github.com/LibRaw/LibRaw/commit/f0c505a3e5d47989a5f69be2d0d4f250af6b1a6c

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to mfv@debian.org (Matteo F. Vescovi):
You have taken responsibility. (Tue, 29 May 2018 22:27:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 29 May 2018 22:27:09 GMT) (full text, mbox, link).

Message #10 received at 897186-close@bugs.debian.org (full text, mbox, reply):

From: mfv@debian.org (Matteo F. Vescovi)
To: 897186-close@bugs.debian.org
Subject: Bug#897186: fixed in libraw 0.18.11-1
Date: Tue, 29 May 2018 22:23:29 +0000
Source: libraw
Source-Version: 0.18.11-1

We believe that the bug you reported is fixed in the latest version of
libraw, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 897186@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matteo F. Vescovi <mfv@debian.org> (supplier of updated libraw package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 29 May 2018 23:40:01 +0200
Source: libraw
Binary: libraw16 libraw-bin libraw-dev libraw-doc
Architecture: source
Version: 0.18.11-1
Distribution: unstable
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Matteo F. Vescovi <mfv@debian.org>
Description:
 libraw-bin - raw image decoder library (tools)
 libraw-dev - raw image decoder library (development files)
 libraw-doc - raw image decoder library (documentation)
 libraw16   - raw image decoder library
Closes: 897185 897186
Changes:
 libraw (0.18.11-1) unstable; urgency=high
 .
   * New upstream release (Closes: #897185, #897186)
     - Fix CVE-2018-10528 and CVE-2018-10529
   * debian/control: S-V bump 4.1.3 -> 4.1.4 (no changes needed)
Checksums-Sha1:
 220b01d91d4dfb74859d11e104abe5e0c456a338 2340 libraw_0.18.11-1.dsc
 91bde91bd799e1bd2dd97095e96cbe5236f26a9b 523402 libraw_0.18.11.orig.tar.gz
 bc49cc3c58826fe30f11559225e9ebadc020c23d 21124 libraw_0.18.11-1.debian.tar.xz
 eb2b73de7145d9905948ccafa9fe09ca5da13394 5747 libraw_0.18.11-1_source.buildinfo
Checksums-Sha256:
 d0fda8d4c874456ae87a7c0cfc426d4c29237b4ed591a37af96e0f411257b687 2340 libraw_0.18.11-1.dsc
 6084bac752ec654ca03a00919810f06551f6a70b4565fab45a8f520dd8d47e5a 523402 libraw_0.18.11.orig.tar.gz
 a5511af7e3cd90088ce792621b2c047b90d4f4d4ee6cd1f8e8cdec54994777a5 21124 libraw_0.18.11-1.debian.tar.xz
 18a00aaf04cb3429b558df8d3fa9a84ac9226705fa8a4078dc6d7682c7699b0f 5747 libraw_0.18.11-1_source.buildinfo
Files:
 67960578e2a71c6c6281aaf5415d03e9 2340 libs optional libraw_0.18.11-1.dsc
 3d837f76b1c624a449a0971820c7d6ac 523402 libs optional libraw_0.18.11.orig.tar.gz
 1e6fbee42011495d69e063f372c032e4 21124 libs optional libraw_0.18.11-1.debian.tar.xz
 6729fb1d2611d81181204b356038045d 5747 libs optional libraw_0.18.11-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Debian powered!

iQKTBAEBCgB9FiEE890J+NqH0d9QRsmbBhL0lE7NzVoFAlsNyMtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEYz
REQwOUY4REE4N0QxREY1MDQ2Qzk5QjA2MTJGNDk0NEVDRENENUEACgkQBhL0lE7N
zVpM+RAAqclCI9Gt3TTOIGkdpjgonc/P4DnAJrmn/WP1mlMMDRx+8gMV1tDWKXFO
WDDXCXBqNcp8EFfo/GPqPk2fn3Ca0ovzjeDm41OSpDpWqoW+KRYwczhMAfwzlXpD
m95ycObqxDU0Wti/1Np6j0WcflRa+MYvNfxKGWDh6jEYev9ZRL5fhgavfqybpvhV
QT++JW1dh4pDR82f+nn4+FNQIRW96TCSY3T1/W2JV6h8R3Xzo1y9aokS4451XXqM
785iAy5cLoGoF17wCFYM2mTRzO0gHMbiC+r3gUlCLWekNS2reDeToPQPUn0id92v
BiG+q1Lww5atK0WvBZBqi3FDzBhyeVhNPM3vw8Xretr/e8JQMgpqBFsaOkOk8ECa
hYH7vChZVz6kxlzku/agtbNrxvtVwpJOTofj9u8DQ5UiCKk7XIGBx/cL9Vo7nl0X
oKzpciF7TvELcfnSjExjKqyV0CetZ0Ug/R8+zv5ZZqecTbdDZn/3t73lfguqOJ72
1QEPGi0+CSC0jbhKvfkBFofGMnggmIsQk5qj6awO0T6T9k29XRgcmJLXz5SRWTms
JQVjqEu2W0LvwTAPzssTEzerc5Cwzl1kDHo2fYbBvzcBNHzz7l32SqdfaD3TWdWn
2/8UdJTdetygYy1chI5vxWWYJ8FSGhDdn1CBbeBvD+KWnYiw3eY=
=7qi8
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2018 07:35:34 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:24:20 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started