Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 29 Aug 2013 11:55:35 +0200
From: Raphael Geissert <atomo64@...il.com>
To: oss-security@...ts.openwall.com
Subject: [notification] libraw: multiple denial of service vulnerabilities

Hi,

During a review for EDF I found a few denial of service
vulnerabilities in LibRaw.

CVE-2013-1438:

Specially crafted photo files may trigger a division by zero, an
infinite loop, or a null pointer dereference in libraw leading to
denial of service in applications using the library.
These vulnerabilities appear to originate in dcraw and as such any
program or library based on it is affected. To name a few confirmed
applications: dcraw, ufraw. Other affected software: shotwell,
darktable, and libkdcraw (Qt-style interface to libraw, using embedded
copy) which is used by digikam.

Google Picasa apparently uses dcraw/ufraw so it might be affected.
dcraw's homepage has a list of applications that possibly still use
it:
http://cybercom.net/~dcoffin/dcraw/

Affected versions of libraw: confirmed: 0.8-0.15.3; but it is likely
that all versions are affected.

(not listing all the other applications as I'm only considering libraw
as the piece with CVE relevance, given the fact that it is a library.)

Fixed in: libraw 0.15.4

CVE-2013-1439:

Specially crafted photo files may trigger a series of conditions in
which a null pointer is dereferenced leading to denial of service in
applications using the library. These three vulnerabilities are
in/related to the 'faster LJPEG decoder', which upstream states was
introduced in LibRaw 0.13 and support for which is going to be dropped
in 0.16.

Affected versions of libraw: 0.13.x-0.15.x

Fixed in: libraw 0.15.4

Patches:
0.15.x:
https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad
Future 0.16.x:
https://github.com/LibRaw/LibRaw/commit/9ae25d8c3a6bfb40c582538193264f74c9b93bc0

(upstream decided to commit all fixes in a single commit. The missing
changes in the patch for 0.16 are the ones that correspond to
CVE-2013-4139. I.e. 0.16 patchset is CVE-2013-1438, while the 0.15
patchset is CVE-2013-4138 + CVE-2013-4139.)

Upstream states that there will be backported fixes for the 0.14
branch but there won't be any new release and "[they] should use
0.14-stable branch from github repo".

BCC'ing Dave Coffin, author of dcraw.

I would like to thank upstream, Alex Tutubalin, for his cooperation.

Cheers,
-- 
Raphael Geissert

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.