[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3113-1] libraw security update



-------------------------------------------------------------------------
Debian LTS Advisory DLA-3113-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                        Helmut Grohne
September 16, 2022                            https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : libraw
Version        : 0.19.2-2+deb10u1
CVE ID         : CVE-2020-35530 CVE-2020-35531 CVE-2020-35532 CVE-2020-35533

Multiple file parsing vulnerabilities have been fixed in libraw. They are
concerned with the dng and x3f formats. 

CVE-2020-35530

    There is an out-of-bounds write vulnerability within the "new_node()"
    function (src/x3f/x3f_utils_patched.cpp) that can be triggered via a
    crafted X3F file. Reported by github user 0xfoxone.

CVE-2020-35531

    An out-of-bounds read vulnerability exists within the
    get_huffman_diff() function (src/x3f/x3f_utils_patched.cpp) when
    reading data from an image file. Reported by github user GirlElecta.

CVE-2020-35532

    An out-of-bounds read vulnerability exists within the
    "simple_decode_row()" function (src/x3f/x3f_utils_patched.cpp) which
    can be triggered via an image with a large row_stride field.
    Reported by github user GirlElecta.

CVE-2020-35533

    An out-of-bounds read vulnerability exists within the
    "LibRaw::adobe_copy_pixel()" function (src/decoders/dng.cpp) when
    reading data from the image file. Reported by github user GirlElecta.

For Debian 10 buster, these problems have been fixed in version
0.19.2-2+deb10u1.

We recommend that you upgrade your libraw packages.

For the detailed security status of libraw please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libraw

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature


Reply to: