[Pkg-shotwell-maint] Bug#721231: CVE-2013-1438: dcraw world: multiple vulnerabilities
Raphael Geissert
geissert at debian.org
Thu Aug 29 09:59:11 UTC 2013
Source: libraw
Severity: important
Tags: security
Control: clone -1 -2 -3 -4 -5 -6 -7 -8 -9
Control: retitle -1 CVE-2013-1438: libraw: multiple vulnerabilities
Control: retitle -2 CVE-2013-1438: dcraw: multiple vulnerabilities
Control reassign -2 dcraw
Control: retitle -3 CVE-2013-1438: darktable: multiple vulnerabilities
Control reassign -3 darktable
Control: retitle -4 CVE-2013-1438: ufraw: multiple vulnerabilities
Control reassign -4 ufraw
Control: retitle -5 CVE-2013-1438: xbmc: multiple vulnerabilities
Control reassign -5 src:xbmc
Control: retitle -6 CVE-2013-1438: exactimage: multiple vulnerabilities
Control reassign -6 exactimage
Control: retitle -7 CVE-2013-1438: rawstudio: multiple vulnerabilities
Control reassign -7 rawstudio
Control: retitle -8 CVE-2013-1438: rawtherapee: multiple vulnerabilities
Control reassign -8 rawtherapee
Control: retitle -9 CVE-2013-1438: libkdcraw: multiple vulnerabilities
Control reassign -9 libkdcraw
Hi,
I found a few vulnerabilities in dcraw and are all covered by the
CVE-2013-1438 id:
"Specially crafted photo files may trigger a division by zero, an
infinite loop, or a null pointer dereference."
Alex Tutubalin, libraw upstream, has patched the vulnerabilities in
libraw and the patches should apply as-is to the vast majority of
embedders. For the details
http://www.openwall.com/lists/oss-security/2013/08/29/3
Please include the CVE id when fixing these vulnerabilities and
consider fixing them in old/stable via a {O,}SPU by following standard
procedures for stable release updates.
P.S. yes, the above Control list is annoying, but so is having so many
copies of the same code base in the archive.
Thanks,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the Pkg-shotwell-maint
mailing list