Security update for libraw SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:01569-1 Final 1 1 2025-06-06T13:12:49Z current 2025-06-06T13:12:49Z 2025-06-06T13:12:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libraw This update for libraw fixes the following issues: - CVE-2025-43961: Fixed out-of-bounds read in the Fujifilm 0xf00c tag parser in metadata/tiff.cpp (bsc#1241643) - CVE-2025-43962: Fixed out-of-bounds read when tag 0x412 processing in phase_one_correct function (bsc#1241585) - CVE-2025-43963: Fixed out-of-buffer access during phase_one_correct in decoders/load_mfbacks.cpp (bsc#1241642) - CVE-2025-43964: Fixed tag 0x412 processing in phase_one_correct does not enforce minimum w0 and w1 values (bsc#1241584) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1569,SUSE-SLE-Product-WE-15-SP7-2025-1569 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202501569-1/ Link for SUSE-SU-2025:01569-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040172.html E-Mail link for SUSE-SU-2025:01569-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1241584 SUSE Bug 1241584 https://bugzilla.suse.com/1241585 SUSE Bug 1241585 https://bugzilla.suse.com/1241642 SUSE Bug 1241642 https://bugzilla.suse.com/1241643 SUSE Bug 1241643 https://www.suse.com/security/cve/CVE-2025-43961/ SUSE CVE CVE-2025-43961 page https://www.suse.com/security/cve/CVE-2025-43962/ SUSE CVE CVE-2025-43962 page https://www.suse.com/security/cve/CVE-2025-43963/ SUSE CVE CVE-2025-43963 page https://www.suse.com/security/cve/CVE-2025-43964/ SUSE CVE CVE-2025-43964 page SUSE Linux Enterprise Workstation Extension 15 SP7 libraw-devel-0.18.9-150000.3.30.1 libraw-devel-static-0.18.9-150000.3.30.1 libraw-tools-0.18.9-150000.3.30.1 libraw16-0.18.9-150000.3.30.1 libraw16-0.18.9-150000.3.30.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP7 In LibRaw before 0.21.4, metadata/tiff.cpp has an out-of-bounds read in the Fujifilm 0xf00c tag parser. CVE-2025-43961 SUSE Linux Enterprise Workstation Extension 15 SP7:libraw16-0.18.9-150000.3.30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501569-1/ https://www.suse.com/security/cve/CVE-2025-43961.html CVE-2025-43961 https://bugzilla.suse.com/1241643 SUSE Bug 1241643 In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp has out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations. CVE-2025-43962 SUSE Linux Enterprise Workstation Extension 15 SP7:libraw16-0.18.9-150000.3.30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501569-1/ https://www.suse.com/security/cve/CVE-2025-43962.html CVE-2025-43962 https://bugzilla.suse.com/1241585 SUSE Bug 1241585 In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp allows out-of-buffer access because split_col and split_row values are not checked in 0x041f tag processing. CVE-2025-43963 SUSE Linux Enterprise Workstation Extension 15 SP7:libraw16-0.18.9-150000.3.30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501569-1/ https://www.suse.com/security/cve/CVE-2025-43963.html CVE-2025-43963 https://bugzilla.suse.com/1241642 SUSE Bug 1241642 In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct in decoders/load_mfbacks.cpp does not enforce minimum w0 and w1 values. CVE-2025-43964 SUSE Linux Enterprise Workstation Extension 15 SP7:libraw16-0.18.9-150000.3.30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501569-1/ https://www.suse.com/security/cve/CVE-2025-43964.html CVE-2025-43964 https://bugzilla.suse.com/1241584 SUSE Bug 1241584