1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202208-07 ] LibRaw: Stack buffer overread

    From glsamaker@gentoo.org@21:1/5 to All on Wed Aug 10 06:50:01 2022
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202208-07
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Low
    Title: LibRaw: Stack buffer overread
    Date: August 10, 2022
    Bugs: #793956
    ID: 202208-07

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A buffer overread in LibRaw might allow an attacker to cause denial of
    service.

    Background
    ==========

    LibRaw is a library for reading RAW files obtained from digital photo
    cameras.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    1 media-libs/libraw < 0.20.2 >= 0.20.2

    Description
    ===========

    LibRaw incorrectly handles parsing DNG fields in some cases, potentially resulting in a buffer overread leading to denial of service.

    Impact
    ======

    An attacker capable of providing crafted input to LibRaw could trigger denial of service.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All LibRaw users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-libs/libraw-0.20.2"

    References
    ==========

    [ 1 ] CVE-2020-24870
    https://nvd.nist.gov/vuln/detail/CVE-2020-24870

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202208-07

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2022 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmLzLrwACgkQFMQkOaVy +9nFDA/9FLtrkKU0CYSObwB/vaPDohkkgiX2SIbQrzS8E54GHQ8tMBaQurP1XyEo iOB8CmMGoSKSx15MkhnpI/Uw9fMkh9fL1elxPC3S4TrO3qsYeigb2nlO4U7hEMvI U/c4D+h2ZSgbyG1KhXiZWulQ6o0mj9yWBFUT3GQvhWei0S3bRsRL4yxeVwO0o+Lj 32V5r5jiBTf+qLthUWNBHQzAmfM3PxVNTh97/+k0k8LtmdW8mriBfwVMmXkKzMPV uaxWdEdj76Lh57ToIq9AjlJLA72PtlnJNbp0p3qsI0sBfzBG6EyseefngyBauDJt TqupYaMv07RteDPyIlYYRZocQtbLqZUVQjFckIHPBM00Rhs1V2xto0ZP/L/X2VEL TdoGGSA9Vx/MclJgoP6tZTAIYeRtUFcbtJ4HwK5GO9qozAYZiDDUznxdQxaX8qGY 2RyLGUWs4HvXR61y0jmUr0D9dVg9prg3b5Idgdq9U4J/XVl+Uy+ts67IszTM0CmR qzmVUZUMhoUzdxsU1DZGF7jIe4+2iE2yz/k/lrGVnxuIETyp0006mudTGHM8U3Hw sf9wUJfsGYDd+L2XIhozO+BsDKcWlmCSep1qGe+lJUxCwaTJrWw2n7XmjLLcH7Jo N5Jzn9pa058SCMC7L5DzL5tPOG5IZ7NW32tKGDa3yhEo9j9sqmY=
    =CKYO
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)