Updated libraw packages fix security vulnerabilities
Publication date: 05 Oct 2017Modification date: 05 Oct 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-13735 , CVE-2017-14265 , CVE-2017-14348
Description
There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack. (CVE-2017-13735) A Stack-based Buffer Overflow was discovered in xtrans_interpolate in internal/dcraw_common.cpp in LibRaw before 0.18.3. It could allow a remote denial of service or code execution attack. (CVE-2017-14265) LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCanonCameraInfo function via a crafted file. (CVE-2017-14348)
References
- https://bugs.mageia.org/show_bug.cgi?id=21716
- https://lists.opensuse.org/opensuse-updates/2017-09/msg00099.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4OTWHVODHFROYHMCNRUAZHNZDBH7YSPO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OPKCTEX7MK4ILYKIBQBK3VBM5U5CRJKK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMHXYQOFX5OQSBWNNMCVGJLYXTZHXYTM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVI7PQ5NTNFOL4EQTLNZOPGCDLKJKXST/
- https://www.libraw.org/news/libraw-0-18-4
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13735
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14265
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14348
SRPMS
6/core
- libraw-0.18.5-1.mga6
5/core
- libraw-0.16.2-1.4.mga5