[SECURITY] Fedora 19 Update: LibRaw-0.14.8-3.fc19.20120830git98d925

Mon Sep 9 23:50:03 UTC 2013

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-15562
2013-08-30 21:41:28
--------------------------------------------------------------------------------

Name        : LibRaw
Product     : Fedora 19
Version     : 0.14.8
Release     : 3.fc19.20120830git98d925
URL         : http://www.libraw.org
Summary     : Library for reading RAW files obtained from digital photo cameras
Description :
LibRaw is a library for reading RAW files obtained from digital photo
cameras (CRW/CR2, NEF, RAF, DNG, and others).

LibRaw is based on the source codes of the dcraw utility, where part of
drawbacks have already been eliminated and part will be fixed in future.

--------------------------------------------------------------------------------
Update Information:

Raphael Geissert reported two denial of service flaws in LibRaw [1]:

CVE-2013-1438:

Specially crafted photo files may trigger a division by zero, an
infinite loop, or a null pointer dereference in libraw leading to
denial of service in applications using the library.
These vulnerabilities appear to originate in dcraw and as such any
program or library based on it is affected. To name a few confirmed
applications: dcraw, ufraw. Other affected software: shotwell,
darktable, and libkdcraw (Qt-style interface to libraw, using embedded
copy) which is used by digikam.

Google Picasa apparently uses dcraw/ufraw so it might be affected.
dcraw's homepage has a list of applications that possibly still use
it:
http://cybercom.net/~dcoffin/dcraw/

Affected versions of libraw: confirmed: 0.8-0.15.3; but it is likely
that all versions are affected.

Fixed in: libraw 0.15.4

CVE-2013-1439:

Specially crafted photo files may trigger a series of conditions in
which a null pointer is dereferenced leading to denial of service in
applications using the library. These three vulnerabilities are
in/related to the 'faster LJPEG decoder', which upstream states was
introduced in LibRaw 0.13 and support for which is going to be dropped
in 0.16.

Affected versions of libraw: 0.13.x-0.15.x
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug 30 2013 Jon Ciesla <limburgher at gmail.com> - 0.14.8-3
- Update to snapshot 98d925 to fix CVE-2013-1438,9, BZ 1002717.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1002717 - CVE-2013-1439 CVE-2013-1438 LibRaw: multiple denial of service flaws [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1002717
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update LibRaw' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------