ArchLinux: 201709-18: libraw: multiple issues
Summary
- CVE-2017-13735 (denial of service)
There is a floating point exception in the kodak_radc_load_raw function
in dcraw_common.cpp in LibRaw 0.18.2 leading to denial of service.
- CVE-2017-14265 (arbitrary code execution)
A stack-based buffer overflow was discovered in xtrans_interpolate in
internal/dcraw_common.cpp in LibRaw before 0.18.3 leading to denial of
service or arbitrary code execution.
Resolution
Upgrade to 0.18.5-1.
# pacman -Syu "libraw>=0.18.5-1"
The problems have been fixed upstream in version 0.18.5.
References
https://github.com/LibRaw/LibRaw/issues/96 https://bugzilla.redhat.com/show_bug.cgi?id=1483988 https://github.com/LibRaw/LibRaw/issues/99 https://security.archlinux.org/CVE-2017-13735 https://security.archlinux.org/CVE-2017-14265
Workaround
None.