dcraw-9.28.0-1.6 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10712-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z dcraw-9.28.0-1.6 on GA media These are all security issues fixed in the dcraw-9.28.0-1.6 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10712 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-13735/ SUSE CVE CVE-2017-13735 page https://www.suse.com/security/cve/CVE-2017-14608/ SUSE CVE CVE-2017-14608 page https://www.suse.com/security/cve/CVE-2018-19655/ SUSE CVE CVE-2018-19655 page https://www.suse.com/security/cve/CVE-2018-5801/ SUSE CVE CVE-2018-5801 page openSUSE Tumbleweed dcraw-9.28.0-1.6 dcraw-lang-9.28.0-1.6 dcraw-9.28.0-1.6 as a component of openSUSE Tumbleweed dcraw-lang-9.28.0-1.6 as a component of openSUSE Tumbleweed There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack. CVE-2017-13735 openSUSE Tumbleweed:dcraw-9.28.0-1.6 openSUSE Tumbleweed:dcraw-lang-9.28.0-1.6 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-13735.html CVE-2017-13735 https://bugzilla.suse.com/1056170 SUSE Bug 1056170 https://bugzilla.suse.com/1060321 SUSE Bug 1060321 In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_65000_load_raw has been reported in dcraw/dcraw.c and internal/dcraw_common.cpp. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. CVE-2017-14608 openSUSE Tumbleweed:dcraw-9.28.0-1.6 openSUSE Tumbleweed:dcraw-lang-9.28.0-1.6 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14608.html CVE-2017-14608 https://bugzilla.suse.com/1063798 SUSE Bug 1063798 A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file. CVE-2018-19655 openSUSE Tumbleweed:dcraw-9.28.0-1.6 openSUSE Tumbleweed:dcraw-lang-9.28.0-1.6 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19655.html CVE-2018-19655 https://bugzilla.suse.com/1117896 SUSE Bug 1117896 An error within the "LibRaw::unpack()" function (src/libraw_cxx.cpp) in LibRaw versions prior to 0.18.7 can be exploited to trigger a NULL pointer dereference. CVE-2018-5801 openSUSE Tumbleweed:dcraw-9.28.0-1.6 openSUSE Tumbleweed:dcraw-lang-9.28.0-1.6 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5801.html CVE-2018-5801 https://bugzilla.suse.com/1084690 SUSE Bug 1084690