Security update for libraw SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:1380-1 Final 1 1 2025-04-28T07:36:42Z current 2025-04-28T07:36:42Z 2025-04-28T07:36:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libraw This update for libraw fixes the following issues: - CVE-2025-43962: Fixed out-of-bounds read when tag 0x412 processing in phase_one_correct function (bsc#1241585) - CVE-2025-43964: Fixed tag 0x412 processing in phase_one_correct does not enforce minimum w0 and w1 values (bsc#1241584) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1380,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-1380 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20251380-1/ Link for SUSE-SU-2025:1380-1 https://lists.suse.com/pipermail/sle-updates/2025-April/039092.html E-Mail link for SUSE-SU-2025:1380-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1241584 SUSE Bug 1241584 https://bugzilla.suse.com/1241585 SUSE Bug 1241585 https://www.suse.com/security/cve/CVE-2015-3885/ SUSE CVE CVE-2015-3885 page https://www.suse.com/security/cve/CVE-2015-8367/ SUSE CVE CVE-2015-8367 page https://www.suse.com/security/cve/CVE-2025-43962/ SUSE CVE CVE-2025-43962 page https://www.suse.com/security/cve/CVE-2025-43964/ SUSE CVE CVE-2025-43964 page SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libraw-devel-0.15.4-45.1 libraw-devel-static-0.15.4-45.1 libraw-tools-0.15.4-45.1 libraw9-0.15.4-45.1 libraw-devel-0.15.4-45.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libraw-devel-static-0.15.4-45.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Integer overflow in the ljpeg_start function in dcraw 7.00 and earlier allows remote attackers to cause a denial of service (crash) via a crafted image, which triggers a buffer overflow, related to the len variable. CVE-2015-3885 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libraw-devel-0.15.4-45.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libraw-devel-static-0.15.4-45.1 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251380-1/ https://www.suse.com/security/cve/CVE-2015-3885.html CVE-2015-3885 https://bugzilla.suse.com/930683 SUSE Bug 930683 The phase_one_correct function in Libraw before 0.17.1 allows attackers to cause memory errors and possibly execute arbitrary code, related to memory object initialization. CVE-2015-8367 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libraw-devel-0.15.4-45.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libraw-devel-static-0.15.4-45.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251380-1/ https://www.suse.com/security/cve/CVE-2015-8367.html CVE-2015-8367 https://bugzilla.suse.com/1006704 SUSE Bug 1006704 https://bugzilla.suse.com/1006717 SUSE Bug 1006717 https://bugzilla.suse.com/957517 SUSE Bug 957517 In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp has out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations. CVE-2025-43962 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libraw-devel-0.15.4-45.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libraw-devel-static-0.15.4-45.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251380-1/ https://www.suse.com/security/cve/CVE-2025-43962.html CVE-2025-43962 https://bugzilla.suse.com/1241585 SUSE Bug 1241585 In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct in decoders/load_mfbacks.cpp does not enforce minimum w0 and w1 values. CVE-2025-43964 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libraw-devel-0.15.4-45.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libraw-devel-static-0.15.4-45.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251380-1/ https://www.suse.com/security/cve/CVE-2025-43964.html CVE-2025-43964 https://bugzilla.suse.com/1241584 SUSE Bug 1241584