Description:
The dcraw photo decoder is an open source project for raw image parsing.
The dcraw tool, as well as several other projects re-using its code, suffers
from an integer overflow condition which lead to a buffer overflow. The
vulnerability concerns the 'len' variable, parsed without validation from
opened images, used in the ljpeg_start() function.
A maliciously crafted raw image file can be used to trigger the vulnerability,
causing a Denial of Service condition.
Affected version:
dcraw >= 7.00
UFRaw >= 0.5
LibRaw <= 0.16.0, 0.17-Alpha2
RawTherapee >= 3.0
CxImage >= 6.00
Rawstudio >= 0.1
Kodi >= 10.0
ExactImage >= 0.1.0
Fixed version:
dcraw, N/A
UFRaw, N/A
LibRaw >= 0.16.1, 0.17-Alpha3
RawTherapee, N/A
CxImage, N/A
Rawstudio, N/A
Kodi, N/A
ExactImage, N/A
Credit: vulnerability report from Eduardo Castellanos <guayin [at] gmail [dot]
com>.
CVE: N/A
Timeline:
2015-04-24: vulnerability report received
2015-04-27: contacted dcraw maintainer
2015-04-30: patch provided by maintainer
2015-05-04: reporter confirms patch
2015-05-11: contacted additional affected vendors
2015-05-11: advisory release
References:
https://github.com/LibRaw/
https://github.com/rawstudio/
Permalink:
http://www.ocert.org/
Komentarų nėra:
Rašyti komentarą