libraw-devel-0.20.2-4.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10980 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libraw-devel-0.20.2-4.1 on GA media These are all security issues fixed in the libraw-devel-0.20.2-4.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10980 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10980 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-13735/ SUSE CVE CVE-2017-13735 page https://www.suse.com/security/cve/CVE-2017-14265/ SUSE CVE CVE-2017-14265 page https://www.suse.com/security/cve/CVE-2017-14348/ SUSE CVE CVE-2017-14348 page https://www.suse.com/security/cve/CVE-2017-6886/ SUSE CVE CVE-2017-6886 page https://www.suse.com/security/cve/CVE-2017-6887/ SUSE CVE CVE-2017-6887 page https://www.suse.com/security/cve/CVE-2017-6890/ SUSE CVE CVE-2017-6890 page https://www.suse.com/security/cve/CVE-2018-10528/ SUSE CVE CVE-2018-10528 page https://www.suse.com/security/cve/CVE-2018-10529/ SUSE CVE CVE-2018-10529 page https://www.suse.com/security/cve/CVE-2018-20337/ SUSE CVE CVE-2018-20337 page https://www.suse.com/security/cve/CVE-2018-5813/ SUSE CVE CVE-2018-5813 page https://www.suse.com/security/cve/CVE-2018-5815/ SUSE CVE CVE-2018-5815 page https://www.suse.com/security/cve/CVE-2018-5819/ SUSE CVE CVE-2018-5819 page https://www.suse.com/security/cve/CVE-2020-15503/ SUSE CVE CVE-2020-15503 page openSUSE Tumbleweed libraw-devel-0.20.2-4.1 libraw-devel-static-0.20.2-4.1 libraw-tools-0.20.2-4.1 libraw20-0.20.2-4.1 libraw20-32bit-0.20.2-4.1 libraw-devel-0.20.2-4.1 as a component of openSUSE Tumbleweed libraw-devel-static-0.20.2-4.1 as a component of openSUSE Tumbleweed libraw-tools-0.20.2-4.1 as a component of openSUSE Tumbleweed libraw20-0.20.2-4.1 as a component of openSUSE Tumbleweed libraw20-32bit-0.20.2-4.1 as a component of openSUSE Tumbleweed There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack. CVE-2017-13735 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-13735.html CVE-2017-13735 https://bugzilla.suse.com/1056170 SUSE Bug 1056170 https://bugzilla.suse.com/1060321 SUSE Bug 1060321 A Stack-based Buffer Overflow was discovered in xtrans_interpolate in internal/dcraw_common.cpp in LibRaw before 0.18.3. It could allow a remote denial of service or code execution attack. CVE-2017-14265 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14265.html CVE-2017-14265 https://bugzilla.suse.com/1060163 SUSE Bug 1060163 https://bugzilla.suse.com/1084688 SUSE Bug 1084688 https://bugzilla.suse.com/1084690 SUSE Bug 1084690 https://bugzilla.suse.com/1084691 SUSE Bug 1084691 LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCanonCameraInfo function via a crafted file. CVE-2017-14348 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14348.html CVE-2017-14348 https://bugzilla.suse.com/1058467 SUSE Bug 1058467 https://bugzilla.suse.com/1063798 SUSE Bug 1063798 An error within the "parse_tiff_ifd()" function (internal/dcraw_common.cpp) in LibRaw versions before 0.18.2 can be exploited to corrupt memory. CVE-2017-6886 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-6886.html CVE-2017-6886 https://bugzilla.suse.com/1039380 SUSE Bug 1039380 A boundary error within the "parse_tiff_ifd()" function (internal/dcraw_common.cpp) in LibRaw versions before 0.18.2 can be exploited to cause a memory corruption via e.g. a specially crafted KDC file with model set to "DSLR-A100" and containing multiple sequences of 0x100 and 0x14A TAGs. CVE-2017-6887 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-6887.html CVE-2017-6887 https://bugzilla.suse.com/1039379 SUSE Bug 1039379 A boundary error within the "foveon_load_camf()" function (dcraw_foveon.c) when initializing a huffman table in LibRaw-demosaic-pack-GPL2 before 0.18.2 can be exploited to cause a stack-based buffer overflow. CVE-2017-6890 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-6890.html CVE-2017-6890 https://bugzilla.suse.com/1039209 SUSE Bug 1039209 An issue was discovered in LibRaw 0.18.9. There is a stack-based buffer overflow in the utf2char function in libraw_cxx.cpp. CVE-2018-10528 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-10528.html CVE-2018-10528 https://bugzilla.suse.com/1091345 SUSE Bug 1091345 An issue was discovered in LibRaw 0.18.9. There is an out-of-bounds read affecting the X3F property table list implementation in libraw_x3f.cpp and libraw_cxx.cpp. CVE-2018-10529 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-10529.html CVE-2018-10529 https://bugzilla.suse.com/1091346 SUSE Bug 1091346 There is a stack-based buffer overflow in the parse_makernote function of dcraw_common.cpp in LibRaw 0.19.1. Crafted input will lead to a denial of service or possibly unspecified other impact. CVE-2018-20337 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20337.html CVE-2018-20337 https://bugzilla.suse.com/1120519 SUSE Bug 1120519 An error within the "parse_minolta()" function (dcraw/dcraw.c) in LibRaw versions prior to 0.18.11 can be exploited to trigger an infinite loop via a specially crafted file. CVE-2018-5813 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5813.html CVE-2018-5813 https://bugzilla.suse.com/1103200 SUSE Bug 1103200 An integer overflow error within the "parse_qt()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger an infinite loop via a specially crafted Apple QuickTime file. CVE-2018-5815 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5815.html CVE-2018-5815 https://bugzilla.suse.com/1103206 SUSE Bug 1103206 An error within the "parse_sinar_ia()" function (internal/dcraw_common.cpp) within LibRaw versions prior to 0.19.1 can be exploited to exhaust available CPU resources. CVE-2018-5819 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5819.html CVE-2018-5819 https://bugzilla.suse.com/1120517 SUSE Bug 1120517 LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.tlength. CVE-2020-15503 openSUSE Tumbleweed:libraw-devel-0.20.2-4.1 openSUSE Tumbleweed:libraw-devel-static-0.20.2-4.1 openSUSE Tumbleweed:libraw-tools-0.20.2-4.1 openSUSE Tumbleweed:libraw20-0.20.2-4.1 openSUSE Tumbleweed:libraw20-32bit-0.20.2-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15503.html CVE-2020-15503 https://bugzilla.suse.com/1173674 SUSE Bug 1173674