Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2017-13735: libraw: floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp

Related Vulnerabilities: CVE-2017-13735  

Source

Debian Bug report logs - #874729
CVE-2017-13735: libraw: floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp

version graph

Package: src:libraw; Maintainer for src:libraw is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>;

Reported by: "Henri S." <henri@nerv.fi>

Date: Sat, 9 Sep 2017 10:09:02 UTC

Severity: normal

Tags: fixed-upstream, patch, security, upstream

Found in version libraw/0.18.2-2

Fixed in version libraw/0.18.5-1

Done: mfv@debian.org (Matteo F. Vescovi)

Bug is archived. No further changes may be made.

Forwarded to https://github.com/LibRaw/LibRaw/issues/96

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#874729; Package src:libraw. (Sat, 09 Sep 2017 10:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to "Henri S." <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Sat, 09 Sep 2017 10:09:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Henri S." <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: CVE-2017-13735: libraw: floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp
Date: Sat, 9 Sep 2017 12:56:58 +0300
[Message part 1 (text/plain, inline)]
Source: libraw
Version: 0.18.2-2
Severity: normal
Tags: security patch upstream
Forwarded: https://github.com/LibRaw/LibRaw/issues/96

There is a floating point exception in the kodak_radc_load_raw function in
dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service
attack.

https://nvd.nist.gov/vuln/detail/CVE-2017-13735
https://github.com/LibRaw/LibRaw/issues/96
https://bugzilla.redhat.com/show_bug.cgi?id=1483988

This has been fixed in upstream 0.18.3 release. Please see:
https://www.libraw.org/news/libraw-0-18-3

-- 
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 14 Sep 2017 17:34:07 GMT) (full text, mbox, link).

Reply sent to mfv@debian.org (Matteo F. Vescovi):
You have taken responsibility. (Fri, 06 Oct 2017 21:12:08 GMT) (full text, mbox, link).

Notification sent to "Henri S." <henri@nerv.fi>:
Bug acknowledged by developer. (Fri, 06 Oct 2017 21:12:08 GMT) (full text, mbox, link).

Message #12 received at 874729-close@bugs.debian.org (full text, mbox, reply):

From: mfv@debian.org (Matteo F. Vescovi)
To: 874729-close@bugs.debian.org
Subject: Bug#874729: fixed in libraw 0.18.5-1
Date: Fri, 06 Oct 2017 21:08:49 +0000
Source: libraw
Source-Version: 0.18.5-1

We believe that the bug you reported is fixed in the latest version of
libraw, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874729@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matteo F. Vescovi <mfv@debian.org> (supplier of updated libraw package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Oct 2017 21:51:38 +0200
Source: libraw
Binary: libraw16 libraw-bin libraw-dev libraw-doc
Architecture: source
Version: 0.18.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Matteo F. Vescovi <mfv@debian.org>
Description:
 libraw-bin - raw image decoder library (tools)
 libraw-dev - raw image decoder library (development files)
 libraw-doc - raw image decoder library (documentation)
 libraw16   - raw image decoder library
Closes: 874729
Changes:
 libraw (0.18.5-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #874729)
   * debian/: autotools-dev usage dropped
   * debian/control: S-V bump 4.0.0 -> 4.1.1 (no changes needed)
Checksums-Sha1:
 cba03d352d7a13b49cdbdcc938b6318540657079 2334 libraw_0.18.5-1.dsc
 e407586eb93f08faf866715f2c2e356a7d304900 517232 libraw_0.18.5.orig.tar.gz
 f9b3700a1cf5ee1c4a0ee51bcffc7a41f204d769 20908 libraw_0.18.5-1.debian.tar.xz
 9624aaec2cb98af3ed70f9c6496db3941399e5f0 5563 libraw_0.18.5-1_source.buildinfo
Checksums-Sha256:
 0fc369ad26a75ab38fc27ef315eaa8e534902b52955913f60060bf2f6da4642e 2334 libraw_0.18.5-1.dsc
 b2b86ff1dadb0ec36ec4d818d71113164f668e68b4e62ca19f29f452ea354840 517232 libraw_0.18.5.orig.tar.gz
 9a984e398396ce0e4d2d423d392fd29d2f12e200c97a1e294b2aa6ff69a75296 20908 libraw_0.18.5-1.debian.tar.xz
 aa379690727f9138b3401ad76fca7d89d24d71f234595a17a09401164d2f10d1 5563 libraw_0.18.5-1_source.buildinfo
Files:
 243dc5c423a822454a2b3c85c36a33f6 2334 libs optional libraw_0.18.5-1.dsc
 8de74a03bf30dc08a667030aaa78d0ca 517232 libs optional libraw_0.18.5.orig.tar.gz
 3346d1aef30e1401f9d5c7d6783d09b9 20908 libs optional libraw_0.18.5-1.debian.tar.xz
 03a5085c4f4a35f4a540c4fd65730c1f 5563 libs optional libraw_0.18.5-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Debian powered!

iQKTBAEBCgB9FiEE890J+NqH0d9QRsmbBhL0lE7NzVoFAlnX3wNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEYz
REQwOUY4REE4N0QxREY1MDQ2Qzk5QjA2MTJGNDk0NEVDRENENUEACgkQBhL0lE7N
zVr6AQ//e+LCavFLNHe/KLZuNIe0zjpg65zlyznTBGngHqkzrWCO9l4IGIMk31dO
3rb9LIBkbPXwva6qXZjhF9PLOprZxSYAy0QHszkvn4xg7Ol/ajzthfbpj+bQOQNb
emqjwSIdC3mgGbfj/b9NE64SVhDAANF9PXDbpwyePS5nA1O/Ch4C3hBUqmRFTNJ/
f4GihNeaSaVW71LhR7CxwleFGxQc2JHKvyFN1lw2PjHuAE/QLXcZ8cwDR75mpZ8f
FHA15wo5R3Pf9miaQLqhQOyFn1NKpREitqeiuOeMSlnQ/OoczDzTpBoxBdLI7TOB
TdajCOjnbVyKriMmEvD5jNvW1jXk9ErTVgKae0BkTCvGZTt2t77H3tnAZEEWlxQn
0C60uvHMtx8tVutR7I75iu2yjGS8BRVmUyDDEOer8hXt9M6GgwGfkooCHEFtFZRH
WnzkxAB+pth/minoWp+SSqUxxynjMtlP8OP8NWc12U2GdxeLn0RQj5XeCXiZUN1i
pOG1l82iMtw0RISn4whEEv0LZmud8tkfpEqCHpPuMxGqCcZa7NS9sJwNm5frH5eS
mryE10Qmt92gAZ1SY/oOykDAFTWIwz2BFjpX5hCmgcHd77kCbmOybwOFeOF1OL0k
lJpd2Rm49bMeJBU4vRUqhGy+l6mfaq9ZEIHvLt63Txn8eyAN55c=
=mRBc
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 04 Nov 2017 07:26:40 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:55:22 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started