Mageia 2022-0160: dcraw security update | LinuxSecurity.com

What Are You Looking For?

Popular Tags

MGASA-2022-0160 - Updated dcraw packages fix security vulnerability

Publication date: 06 May 2022
URL: https://advisories.mageia.org/MGASA-2022-0160.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2018-5805,
     CVE-2018-5806,
     CVE-2018-19565,
     CVE-2018-19566,
     CVE-2018-19567,
     CVE-2018-19568,
     CVE-2021-3624

A buffer over-read in crop_masked_pixels in dcraw through 9.28 could be
used by attackers able to supply malicious files to crash an application
that bundles the dcraw code or leak private information. (CVE-2018-19565)

A heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could be
used by attackers able to supply malicious files to crash an application
that bundles the dcraw code or leak private information. (CVE-2018-19566)

A floating point exception in parse_tiff_ifd in dcraw through 9.28 could
be used by attackers able to supply malicious files to crash an application
that bundles the dcraw code. (CVE-2018-19567)

A floating point exception in kodak_radc_load_raw in dcraw through 9.28
could be used by attackers able to supply malicious files to crash an
application that bundles the dcraw code. (CVE-2018-19568)

A boundary error within the "quicktake_100_load_raw()" function
(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be
exploited to cause a stack-based buffer overflow and subsequently cause a
crash. (CVE-2018-5805)

An error within the "leaf_hdr_load_raw()" function
(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be
exploited to trigger a NULL pointer dereference. (CVE-2018-5806)

There is an integer overflow vulnerability in dcraw. When the victim runs
dcraw with a maliciously crafted X3F input image, arbitrary code may be
executed in the victim's system. (CVE-2021-3624)

References:
- https://bugs.mageia.org/show_bug.cgi?id=24107
- https://www.openwall.com/lists/oss-security/2018/11/27/1
- https://lists.opensuse.org/archives/list/[email protected]/thread/YDVWQ5ZUMZUOMBBPVXPXX6XNCBNZ2BMJ/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5805
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5806
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19565
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19566
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19567
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19568
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3624

SRPMS:
- 8/core/dcraw-9.28.0-6.1.mga8

News

Advisories

HOWTOs

Features

Enterprise Encryption for Linux: Improve Manageability & Compliance
Rocky Linux Security Advisories Are Now on LinuxSecurity.com!
Official Guide on Rocky Linux & How to Install It
Business VPNs: Now More Important Than Ever
Linux Log Analysis

About Us

Powered By

Footer Logo

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy. 

Learn More About Our Cookie Policy