Debian Bug report logs -
#785019
dcraw: CVE-2015-3885: input sanitization flaw leading to buffer overflow
Reported by: "Karl O. Pinc" <kop@meme.com>
Date: Mon, 11 May 2015 16:33:01 UTC
Severity: important
Tags: security, upstream
Found in version dcraw/8.99-1
Fixed in version dcraw/9.26-1
Done: Tobias Frost <tobi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Steve King <debian@invux.com>:
Bug#785019; Package dcraw.
(Mon, 11 May 2015 16:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Karl O. Pinc" <kop@meme.com>:
New Bug report received and forwarded. Copy sent to Steve King <debian@invux.com>.
(Mon, 11 May 2015 16:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dcraw
Severity: important
Tags: upstream
FYI, a buffer overflow looks like it could be worse than "important".
Ocert says:
#2015-006 dcraw input sanitization errors
Description:
The dcraw photo decoder is an open source project for raw image parsing.
The dcraw tool, as well as several other projects re-using its code, suffers
from an integer overflow condition which lead to a buffer overflow. The
vulnerability concerns the 'len' variable, parsed without validation from
opened images, used in the ljpeg_start() function.
A maliciously crafted raw image file can be used to trigger the vulnerability,
causing a Denial of Service condition.
Affected version:
dcraw >= 7.00
UFRaw >= 0.5
LibRaw <= 0.16.0, 0.17-Alpha2
RawTherapee >= 3.0
CxImage >= 6.00
Rawstudio >= 0.1
Kodi >= 10.0
ExactImage >= 0.1.0
Fixed version:
dcraw, N/A
UFRaw, N/A
LibRaw >= 0.16.1, 0.17-Alpha3
RawTherapee, N/A
CxImage, N/A
Rawstudio, N/A
Kodi, N/A
ExactImage, N/A
Credit: vulnerability report from Eduardo Castellanos <guayin [at] gmail [dot]
com>.
CVE: N/A
Timeline:
2015-04-24: vulnerability report received
2015-04-27: contacted dcraw maintainer
2015-04-30: patch provided by maintainer
2015-05-04: reporter confirms patch
2015-05-11: contacted additional affected vendors
2015-05-11: advisory release
References:
https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
Permalink:
http://www.ocert.org/advisories/ocert-2015-006.html
-- System Information:
Debian Release: 7.8
APT prefers stable
APT policy: (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 11 May 2015 17:09:14 GMT) (full text, mbox, link).
Marked as found in versions dcraw/8.99-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 25 May 2015 14:36:05 GMT) (full text, mbox, link).
Changed Bug title to 'dcraw: CVE-2015-3885: input sanitization flaw leading to buffer overflow' from 'dcraw: [oCERT-2015-006] dcraw input sanitization errors'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 25 May 2015 14:39:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve King <debian@invux.com>:
Bug#785019; Package dcraw.
(Tue, 26 May 2015 02:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Hubert Chathi <uhoreg@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve King <debian@invux.com>.
(Tue, 26 May 2015 02:09:05 GMT) (full text, mbox, link).
Message #16 received at 785019@bugs.debian.org (full text, mbox, reply):
[Cc:ing other related bugs, to get other maintainers' opinions]
On Mon, 25 May 2015 16:40:00 +0200, Salvatore Bonaccorso <carnil@debian.org> said:
> CVE-2015-3885[0]: | Integer overflow in the ljpeg_start function in
> dcraw 7.00 and earlier | allows remote attackers to cause a denial of
> service (crash) via a | crafted image, which triggers a buffer
> overflow, related to the len | variable.
The patch from rawstudio and libraw is easy enough to port over, being a
one-line change, but I'd like a second opinion. The patch just changes
the type of len from int to ushort. However, len is only ever set to
len = (data[2] << 8 | data[3]) - 2
and so will always be less than 0x10000, so I don't see how len can
overflow with >= 32-bit ints. I can see how it could cause problems
with a signed 16-bit int, but unless I'm missing something, it shouldn't
affect Debian in any way, since all our arch's are >= 32-bits.
Is that correct, or is my assessment wrong?
--
Hubert Chathi <uhoreg@debian.org> -- Jabber: hubert@uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve King <debian@invux.com>:
Bug#785019; Package dcraw.
(Tue, 26 May 2015 15:51:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve King <debian@invux.com>.
(Tue, 26 May 2015 15:51:10 GMT) (full text, mbox, link).
Message #21 received at 785019@bugs.debian.org (full text, mbox, reply):
On Mon, 25 May 2015, Hubert Chathi wrote:
> the type of len from int to ushort. However, len is only ever set to
>
> len = (data[2] << 8 | data[3]) - 2
>
> and so will always be less than 0x10000, so I don't see how len can
> overflow with >= 32-bit ints. I can see how it could cause problems
> with a signed 16-bit int, but unless I'm missing something, it shouldn't
> affect Debian in any way, since all our arch's are >= 32-bits.
>
> Is that correct, or is my assessment wrong?
It appears to be wrong. See the analysis here:
https://bugzilla.redhat.com/show_bug.cgi?id=1221249#c10
The problem is that you can trigger a negative "len" which will result
in a very big number once implicitly converted to a size_t in the
fread() call.
BTW, RedHat uses a more comprehensive fix that bails out if the
length ends us negative:
https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve King <debian@invux.com>:
Bug#785019; Package dcraw.
(Tue, 26 May 2015 15:54:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve King <debian@invux.com>.
(Tue, 26 May 2015 15:54:15 GMT) (full text, mbox, link).
Message #26 received at 785019@bugs.debian.org (full text, mbox, reply):
Hello dear maintainer(s),
the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/CVE-2015-3885
We decided that we would not prepare a squeeze security update (usually
because the security impact is low and that we concentrate our limited
resources on higher severity issues and on the most widely used packages).
That said the squeeze users would most certainly benefit from a fixed
package.
If you want to work on such an update, you're welcome to do so. Please
try to follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development
If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. However please make sure to
submit a tested package.
Thank you very much.
Raphaël Hertzog,
on behalf of the Debian LTS team.
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve King <debian@invux.com>:
Bug#785019; Package dcraw.
(Tue, 26 May 2015 18:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Hubert Chathi <uhoreg@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve King <debian@invux.com>.
(Tue, 26 May 2015 18:33:04 GMT) (full text, mbox, link).
Message #31 received at 785019@bugs.debian.org (full text, mbox, reply):
On Tue, 26 May 2015 17:48:49 +0200, Raphael Hertzog <hertzog@debian.org> said:
> On Mon, 25 May 2015, Hubert Chathi wrote:
>> the type of len from int to ushort. However, len is only ever set to
>>
>> len = (data[2] << 8 | data[3]) - 2
>>
>> and so will always be less than 0x10000, so I don't see how len can
>> overflow with >= 32-bit ints. I can see how it could cause problems
>> with a signed 16-bit int, but unless I'm missing something, it
>> shouldn't affect Debian in any way, since all our arch's are >=
>> 32-bits.
>>
>> Is that correct, or is my assessment wrong?
> It appears to be wrong. See the analysis here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1221249#c10
Ah, underflow, of course. I was only thinking overflow. Thanks.
> The problem is that you can trigger a negative "len" which will result
> in a very big number once implicitly converted to a size_t in the
> fread() call.
> BTW, RedHat uses a more comprehensive fix that bails out if the length
> ends us negative:
> https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff
Thanks. I'll apply this patch.
--
Hubert Chathi <uhoreg@debian.org> -- Jabber: hubert@uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve King <debian@invux.com>:
Bug#785019; Package dcraw.
(Wed, 03 Jun 2015 14:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to PICCORO McKAY Lenz <mckaygerhard@gmail.com>:
Extra info received and forwarded to list. Copy sent to Steve King <debian@invux.com>.
(Wed, 03 Jun 2015 14:39:03 GMT) (full text, mbox, link).
Message #36 received at 785019@bugs.debian.org (full text, mbox, reply):
i cannot see recent activity arount those issues ..
if i have some dsc's in another reos can be usefully for sponsored ?
and uploaded or used for squeeze-lts?
Lenz McKAY Gerardo (PICCORO)
http://qgqlochekone.blogspot.com
2015-05-26 11:20 GMT-04:30 Raphael Hertzog <hertzog@debian.org>:
> Hello dear maintainer(s),
>
> the Debian LTS team recently reviewed the security issue(s) affecting your
> package in Squeeze:
> https://security-tracker.debian.org/tracker/CVE-2015-3885
>
> We decided that we would not prepare a squeeze security update (usually
> because the security impact is low and that we concentrate our limited
> resources on higher severity issues and on the most widely used packages).
> That said the squeeze users would most certainly benefit from a fixed
> package.
>
> If you want to work on such an update, you're welcome to do so. Please
> try to follow the workflow we have defined here:
> http://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. However please make sure to
> submit a tested package.
>
> Thank you very much.
>
> Raphaël Hertzog,
> on behalf of the Debian LTS team.
> --
> Raphaël Hertzog ◈ Debian Developer
>
> Support Debian LTS: http://www.freexian.com/services/debian-lts.html
> Learn to master Debian: http://debian-handbook.info/get/
>
>
> --
> To UNSUBSCRIBE, email to debian-lts-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: https://lists.debian.org/20150526155045.GA6976@home.ouaza.com
>
Reply sent
to Tobias Frost <tobi@debian.org>:
You have taken responsibility.
(Sat, 30 Apr 2016 21:54:17 GMT) (full text, mbox, link).
Notification sent
to "Karl O. Pinc" <kop@meme.com>:
Bug acknowledged by developer.
(Sat, 30 Apr 2016 21:54:17 GMT) (full text, mbox, link).
Message #41 received at 785019-close@bugs.debian.org (full text, mbox, reply):
Source: dcraw
Source-Version: 9.26-1
We believe that the bug you reported is fixed in the latest version of
dcraw, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 785019@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <tobi@debian.org> (supplier of updated dcraw package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 30 Apr 2016 23:26:42 +0200
Source: dcraw
Binary: dcraw
Architecture: source amd64
Version: 9.26-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Tobias Frost <tobi@debian.org>
Description:
dcraw - decode raw digital camera images
Closes: 634924 750858 754388 785019 819652
Changes:
dcraw (9.26-1) unstable; urgency=medium
.
* QA upload.
* Setting maintainer to QA.
* New upstream version. Closes: #754388, #785019
* New upstream version fixes CVE-2015-3885.
* Refesh patch remove_LO_line_from_manpage.diff
* Update d/copyright and add missing licenses. Closes: #634924
* Bump SV to 3.9.8 -- no changes required.
* Created git repository on collab-maint.
* Include NMU changelogs. Closes: #750858
* Change package priority to optional. Closes: #819652
* Fix typo in manpage dcparse.1
Checksums-Sha1:
77b91ce6c553f6585291857437508e9664b246d6 1861 dcraw_9.26-1.dsc
91a47c5ee9d454d3431e93c5a939a33d0cfdb114 114806 dcraw_9.26.orig.tar.gz
74c6efab2da3c77573786cabd6e5f7e27715a05a 7356 dcraw_9.26-1.debian.tar.xz
Checksums-Sha256:
eb8021da61541843d9a9acf700b00a5f296ba540c7d4933df5f00b5d7ef9e535 1861 dcraw_9.26-1.dsc
1bac6a1b3b1de5e9f4c178b0cd7f1cc212f810243df9dddabaec56120d4989f2 114806 dcraw_9.26.orig.tar.gz
4f6d4a94359f4c2d76844e9feb2830e02e47e1d573228295447eadc96e2ba602 7356 dcraw_9.26-1.debian.tar.xz
Files:
4d5abd7f44307dac68ec61bef0007ce8 1861 graphics optional dcraw_9.26-1.dsc
80ba1b1bb4ac46b136faa503664cf9b9 114806 graphics optional dcraw_9.26.orig.tar.gz
cb61fb905bbdba6c942a538c91d055e0 7356 graphics optional dcraw_9.26-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXJSNhAAoJEJFk+h0XvV02oc0QAMA7BniSynSsT+YuFSGEuPHz
SUI9x10bpn/GDYR027QKJUFVUQ+53XmdJnmV2+6F0cwgHJ6+WDKzHu6rCb3QyQiC
7AR82sJFTBJ+xH2e2PLOnR3APkHw5QJrJSzC+E7tlptD1D2xWVII2PKExFh+yfm2
bWxL0lh/oZvshpDX3rWEenz/0XTqZzMPgO9KcZjPyepg4gmr+hQoFofUyYN0BlMr
teooylDMCzVVvXiaxY5AdpiBHxEBovjNlKyh+t0xJb34HJpfxXbZ41gn3QzTxWAf
IbLNjC2zLMe9GA/Q0WrzIhun5wrgue2fcNwEA3d1QxbXCVpoYgvtoe2gYz4y0NgV
bQPu17QmomuoWvF6Yf3lepBk5ehq7KsdFYAxxjEWV4DEvoqtYFiGB67JVoeUkKHK
OjS/uIbA+aaWVm6M6JzXGVyJitbTIK5PlavZMHu6Qp4uLQXwGWVelbvnunTa9akr
rVojlfj+GZ5nHQUf8Yn4Zjdw90t/8E9ayOal1bVMhTbsWDzP/xEPj5/6AKO2DZZY
q2XHlkwe1jvVw6qCcj8LjB7Tpqhwz2NRfHEml9plr/gQrrSg2j0bvo1fXaDEAcru
j1tmZaxnd23et/fAkDPsjdEHpgTpSnDxoO/InkiwueYGSngZoUxbBYXVqdjrIi7L
nvVZGCDitW88fiqGWA9Z
=bEQa
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 05 Jun 2016 07:29:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:57:08 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon