libraw: CVE-2013-2126 CVE-2013-2127

Debian Bug report logs - #710353
libraw: CVE-2013-2126 CVE-2013-2127

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libraw: CVE-2013-2126 CVE-2013-2127

Date: Thu, 30 May 2013 09:22:27 +0200

Package: libraw
Severity: grave
Tags: security

Two security issues have been found in libraw. Please see this link for
more information and links to upstream commits:

http://www.openwall.com/lists/oss-security/2013/05/29/7

Cheers,
        Moritz

Message #10 received at 710353@bugs.debian.org (full text, mbox, reply):

From: Stepan Golosunov <stepan@golosunov.pp.ru>

To: Moritz Muehlenhoff <jmm@inutil.org>, 710353@bugs.debian.org

Subject: Re: Bug#710353: libraw: CVE-2013-2126 CVE-2013-2127

Date: Mon, 3 Jun 2013 19:34:15 +0400

Control: found -1 0.15.1-1

On Thu, May 30, 2013 at 09:22:27AM +0200, Moritz Muehlenhoff wrote:
> Package: libraw
> Severity: grave
> Tags: security
> 
> Two security issues have been found in libraw. Please see this link for
> more information and links to upstream commits:
> 
> http://www.openwall.com/lists/oss-security/2013/05/29/7

According to
http://blog.lexa.ru/2013/05/28/o_spiskakh_uyazvimostei_v_programmakh.html
the buggy code is present only in 0.15 branch.
Which means only experimental is affected, and only by CVE-2013-2126.

(Note that there are other packages that duplicate libraw sources.
Darktable, for example, includes libraw 0.14.7.)

Message #17 received at 710353@bugs.debian.org (full text, mbox, reply):

From: Stepan Golosunov <stepan@golosunov.pp.ru>

To: Moritz Muehlenhoff <jmm@inutil.org>, 710353@bugs.debian.org

Subject: Re: Bug#710353: libraw: CVE-2013-2126 CVE-2013-2127

Date: Mon, 3 Jun 2013 22:59:12 +0400

Control: found -1 0.14.6-2
Control: tags -1 patch

03.06.2013 в 19:34:15 +0400 Stepan Golosunov написал:
> On Thu, May 30, 2013 at 09:22:27AM +0200, Moritz Muehlenhoff wrote:
> > Package: libraw
> > Severity: grave
> > Tags: security
> > 
> > Two security issues have been found in libraw. Please see this link for
> > more information and links to upstream commits:
> > 
> > http://www.openwall.com/lists/oss-security/2013/05/29/7

> According to
> http://blog.lexa.ru/2013/05/28/o_spiskakh_uyazvimostei_v_programmakh.html
> the buggy code is present only in 0.15 branch.

Apparently (https://bugzilla.redhat.com/show_bug.cgi?id=968382#c5)
only CVE-2013-2127 is limited to 0.15 (and as a result is not present
in debian libraw packages). According to
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2126
CVE-2013-2126 affects 0.14 an 0.15 and patch for 0.14 is available at

https://github.com/LibRaw/LibRaw/commit/c14ae36d28e80139b2f31b5d9d7623db3b597a3a

--- a/src/libraw_cxx.cpp
+++ b/src/libraw_cxx.cpp
@@ -796,8 +796,8 @@ int LibRaw::unpack(void)
                 S.iheight= S.height;
                 IO.shrink = 0;
                 // allocate image as temporary buffer, size 
-                imgdata.rawdata.raw_alloc = calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
-                imgdata.image = (ushort (*)[4]) imgdata.rawdata.raw_alloc;
+                imgdata.rawdata.raw_alloc = 0;
+                imgdata.image = (ushort (*)[4]) calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
             }
 
 
@@ -807,8 +807,8 @@ int LibRaw::unpack(void)
         // recover saved
         if( decoder_info.decoder_flags & LIBRAW_DECODER_LEGACY)
             {
-                imgdata.image = 0; 
-                imgdata.rawdata.color_image = (ushort (*)[4]) imgdata.rawdata.raw_alloc;
+              imgdata.rawdata.raw_alloc = imgdata.rawdata.color_image = imgdata.image;
+              imgdata.image = 0; 
             }
 
         // calculate channel maximum


> (Note that there are other packages that duplicate libraw sources.
> Darktable, for example, includes libraw 0.14.7.)

Message #26 received at 710353-close@bugs.debian.org (full text, mbox, reply):

From: Luca Falavigna <dktrkranz@debian.org>

To: 710353-close@bugs.debian.org

Subject: Bug#710353: fixed in libraw 0.15.3-1

Date: Wed, 10 Jul 2013 21:04:08 +0000

Source: libraw
Source-Version: 0.15.3-1

We believe that the bug you reported is fixed in the latest version of
libraw, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 710353@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Falavigna <dktrkranz@debian.org> (supplier of updated libraw package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 10 Jul 2013 21:20:09 +0200
Source: libraw
Binary: libraw9 libraw-bin libraw-dev libraw-doc
Architecture: source amd64 all
Version: 0.15.3-1
Distribution: unstable
Urgency: low
Maintainer: Debian Shotwell Maintainers <pkg-shotwell-maint@lists.alioth.debian.org>
Changed-By: Luca Falavigna <dktrkranz@debian.org>
Description: 
 libraw-bin - raw image decoder library (tools)
 libraw-dev - raw image decoder library (development files)
 libraw-doc - raw image decoder library (documentation)
 libraw9    - raw image decoder library
Closes: 710353 715577
Changes: 
 libraw (0.15.3-1) unstable; urgency=low
 .
   * Team upload to unstable.
   * New upstream release (Closes: #710353).
     - Fix error handling for broken full-color images - CVE-2013-2126.
     - Fix wrong data_maximum calcluation - CVE-2013-2127.
   * debian/patches/4channels_parameter.patch:
     - Fix segmentaition fault when 4channel is passed -s option without
        any parameter (Closes: #715577).
Checksums-Sha1: 
 e1774747c12440b1957d45400ea5159da4f31460 2015 libraw_0.15.3-1.dsc
 8b6f793905eb5df5cb5ff6623e1a566727ec1e73 1408520 libraw_0.15.3.orig.tar.gz
 dc31dc09c70144ad12b47ffab41e3b04b2085ec5 8779 libraw_0.15.3-1.debian.tar.gz
 8b68a67cb1d5317cf3c164f3e50acb4584b7f691 376674 libraw9_0.15.3-1_amd64.deb
 cabd750463447c64fdfe49c111d4eae622cf3393 50304 libraw-bin_0.15.3-1_amd64.deb
 50c540f4146119a9a73d9f841a0eb822fd5b227a 400670 libraw-dev_0.15.3-1_amd64.deb
 70681a457c137ed5e3e6e7cc7380fb35edb8bb97 114982 libraw-doc_0.15.3-1_all.deb
Checksums-Sha256: 
 148b4aae5de6b41930ac3539e216498febbd24a9f3ba5120b847c3da47977cc9 2015 libraw_0.15.3-1.dsc
 cfe74c87150035a3277d18338a4e4ac11424349736d39c7d9dbb0cffe5a0d331 1408520 libraw_0.15.3.orig.tar.gz
 68fcf505e176936b0e66973e663a7c713200528577e39dd109b20ef8fee41b85 8779 libraw_0.15.3-1.debian.tar.gz
 8a19715aafe0ffc3e6862d1b2e05fffd4ddf5f5dd898e4bbfed2e27e361eea70 376674 libraw9_0.15.3-1_amd64.deb
 4a8249d130ceebde9aeb5bcc3744e4a1acdcb74786140f24dd0f578fbd2f35c4 50304 libraw-bin_0.15.3-1_amd64.deb
 dc56b1e3f7b3c35a8ce944784d51e3e29bf1638dfea796f1c4cc5bee28ed62da 400670 libraw-dev_0.15.3-1_amd64.deb
 34afe2b96fe05c5e07394e3a8b31fd6fd1026d6763a6e4ed4e08e6040d1337b5 114982 libraw-doc_0.15.3-1_all.deb
Files: 
 1db23abc036d8ae5d1351aefc30ea9c7 2015 libs optional libraw_0.15.3-1.dsc
 61b401bfab23ae27fa437a966717acae 1408520 libs optional libraw_0.15.3.orig.tar.gz
 c8b3701b6683dffb858a9fc4e8c8850d 8779 libs optional libraw_0.15.3-1.debian.tar.gz
 1537d3ec82c690bb47a32489c26c51e4 376674 libs optional libraw9_0.15.3-1_amd64.deb
 5a1e0a5fb1c7458b5497f12360ea90ef 50304 graphics optional libraw-bin_0.15.3-1_amd64.deb
 2e143cd3573ce7fc25be2940535553fb 400670 libdevel optional libraw-dev_0.15.3-1_amd64.deb
 eac0aadb66add18d48c92db5f04c19b5 114982 doc optional libraw-doc_0.15.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJR3cJ2AAoJEEkIatPr4vMfufoP/2QKmmnaDWIZ7Ui5U78/JoTi
kAzzz0VSnKIEavDk0YCryZf59Vxc9hvuhS1fYzr6vtsTA93qoYF+NTZgwzThkIJx
6H9HxLw9wUFjXdZOmVh6k+st5yHNi6RkpY+E9m3+bBVvZ6/2I+4H1PeyDCelHRAe
sa9vg+mcs1CE9E4Pj6b9+mWgAD1NcRfLBjXlslCHyMz+L72ziEAjgsKucfcUqm6k
/ypMCxLrlB7PH4DjhGfxBZSMAFwPBJ0U6oz5+s4/fiaMcE3zRCod1jRUlGOrEkCF
xPERzI2aEcqBbONiUx2TArrig1NkcST/ENfo402O/XHIOHLCJi0KosQ2woW+TMfu
eakwssAY+Mj0We5d2H57NPNkIrf7IOU8Mp6GM+Gx+XJlM/B2XaiOcaI4Fa5WOMV3
58cfvYpWX/RZqNg0eycO0MONIniG7rnK91m3iKFeV8SoYTHiVagtDG8wSz5Uhb7P
XfO6UlF5n8hDHYFUnZGDDW7kfYEnOdeY872CB7Pxzr1yOwiHKGUbDwKE/PyexWL8
o/1PuxDT1enzZAFy9PG2ty+RMssEdfJDK3q+x6jN15oRolO74jsLUP6N1fZ1FdHF
CJ+B0jOAxp2mWhKK7f+oqXHVCfsI2J0FtViRFXKMyua6kVqxghBYb7/9pJq9P/f0
n6cLvHh6FZPFBpx4/RH4
=1xsj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.