Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <8a37ecf0-9de9-40a2-9e3a-0d1d7cacc5e8@oracle.com>
Date: Sat, 11 Apr 2026 09:42:42 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: LibRaw 0.22.1 Release with security fixes

https://www.libraw.org/news/libraw-0-22-1-release announces:
> LibRaw 0.22.1 Release is just published in our Github repository
> <https://github.com/LibRaw/LibRaw> and this site download section
> <https://www.libraw.org/download>.
> 
> This is bugfix-only release with these commits included:
> 
>  * Limit strcat space in hassy model manipulation
>  * Version increment; shlib increment: internal ABI has changed
>  * check panasonic enc8 tile width against image width
>  * CR3 parser: zero all buffers before fread
>  * skip memory allocation checks for OWN_ALLOC decoders
>  * DNG SDK glue: check for memory limits
>  * raw2image()/dcraw_process() - check for int16 source data present
>  * Check for correct bayer pattern, pass incorect ones to vng_interpolate
>  * parse_rollei: zero input string before fgets
>  * Nikon padded/12bit: no need to calculate padded row size before final
>    raw_width adjustment
>  * TALOS-2026-2364: Fix for data size calculation integer overflow in
>    float/deflated DNG loader; Check for read results
>  * Fix for TALOS-2026-2363: avoid integer overflow in allocation size
>    calculation. Also: check for EOF in read loop
>  * X3F decoder: implemented hard single allocation limit via
>    LIBRAW_X3F_ALLOC_LIMIT_MB define;
>  * allocation size calculation converted to 64 bit arithm; fix for
>    TALOS-2026-2359
>  * Fix for TALOS-2026-2358
>  * Fix for TALOS-2026-2331
>  * Fix for TALOS-2026-2330
>  * Sony YCC decoder: check tile size; add +3 bytes to input buffer to avoid
>    possible overrun in huffman decoder
>  * FP DNG data limit: perform calculations in 64 bit
>  * Add extra huff_coeff item to handle huff_index==17 with known (zero) value,
>    not externally provided tag value
>  * use %lld format for timestamp parse/print where appropriate
>  * nikon coolscan loader: check for EOF
>  * Initialize olympus lensID bits
>  * CR3 parser: all file offsets are unsigned/64bit; check current offset
>    against file size
>  * Add Canon EOS Kiss M2 to camera list
>  * Check real color count against filters; do not pass really 4-color images
>    to fbdd or advanced demosaic
>  * Use LIBRAW_EXCEPTION instead of own internal in losslessjpeg.h
>  * zero input string to avoid compare random stack garbage with tag names
>  * Check for eof in Pentax tag search loop
>  * Fuji decoder: initialize allocated buffers

Further information about the vulnerabilities reported by Cisco Talos can be
found in their reports:

- TALOS-2026-2330 / CVE-2026-20911
   LibRaw HuffTable::initval heap-based buffer overflow vulnerability
   https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330

   A heap-based buffer overflow vulnerability exists in the HuffTable::initval
   functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially
   crafted malicious file can lead to a heap buffer overflow. An attacker
   can provide a malicious file to trigger this vulnerability.

- TALOS-2026-2331 / CVE-2026-21413
   LibRaw lossless_jpeg_load_raw heap-based buffer overflow vulnerability
   https://talosintelligence.com/vulnerability_reports/TALOS-2026-2331

   A heap-based buffer overflow vulnerability exists in the
   lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and
   Commit d20315b. A specially crafted malicious file can lead to a heap buffer
   overflow. An attacker can provide a malicious file to trigger this
   vulnerability.

- TALOS-2026-2358 / CVE-2026-20889
   LibRaw x3f_thumb_loader heap-based buffer overflow vulnerability
   https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358

   A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader
   functionality of LibRaw Commit d20315b. A specially crafted malicious file
   can lead to a heap buffer overflow. An attacker can provide a malicious file
   to trigger this vulnerability.

- TALOS-2026-2359 / CVE-2026-24660
   LibRaw x3f_load_huffman heap-based buffer overflow vulnerability
   https://talosintelligence.com/vulnerability_reports/TALOS-2026-2359

   A heap-based buffer overflow vulnerability exists in the x3f_load_huffman
   functionality of LibRaw Commit d20315b. A specially crafted malicious file
   can lead to a heap buffer overflow. An attacker can provide a malicious file
   to trigger this vulnerability.

- TALOS-2026-2363 / CVE-2026-24450
   LibRaw uncompressed_fp_dng_load_raw integer overflow vulnerability
   https://talosintelligence.com/vulnerability_reports/TALOS-2026-2363

   An integer overflow vulnerability exists in the uncompressed_fp_dng_load_raw
   functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file
   can lead to a heap buffer overflow. An attacker can provide a malicious file
   to trigger this vulnerability.

- TALOS-2026-2364 / CVE-2026-20884
   LibRaw deflate_dng_load_raw integer overflow vulnerability
   https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364

   An integer overflow vulnerability exists in the deflate_dng_load_raw
   functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file
   can lead to a heap buffer overflow. An attacker can provide a malicious file
   to trigger this vulnerability.

Additional CVEs also appear to have been issued for some of the fixes:

- CVE-2026-5318 appears to be a duplicate for independent reporting of the
   TALOS-2026-2330 / CVE-2026-20911 issue in
   https://github.com/LibRaw/LibRaw/issues/794

- CVE-2026-5342 for the fix listed above as "Nikon padded/12bit: no need to
   calculate padded row size before final raw_width adjustment" and originally
   reported in https://github.com/LibRaw/LibRaw/issues/795

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.