Security update for libraw SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1460-1 Final 1 1 2017-05-31T08:53:47Z current 2017-05-31T08:53:47Z 2017-05-31T08:53:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libraw This update for libraw fixes the following issues: * CVE-2017-6890: A boundary error within the 'foveon_load_camf()' function was fixed. [boo#1039209] * CVE-2017-6889: An integer overflow error within the 'foveon_load_camf()' function was fixed. [boo#1039210] * CVE-2017-6887: A memory corruption via e.g. a specially crafted KDC file parse_tiff_ifd() was fixed. [boo#1039379] * CVE-2017-6886: A memory corruption in parse_tiff_ifd() function was fixed. [boo#1039380] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-05/msg00111.html E-Mail link for openSUSE-SU-2017:1460-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 libraw-0.17.1-2.3.1 libraw-devel-0.17.1-2.3.1 libraw-devel-static-0.17.1-2.3.1 libraw-tools-0.17.1-2.3.1 libraw15-0.17.1-2.3.1 libraw-0.17.1-2.3.1 as a component of openSUSE Leap 42.2 libraw-devel-0.17.1-2.3.1 as a component of openSUSE Leap 42.2 libraw-devel-static-0.17.1-2.3.1 as a component of openSUSE Leap 42.2 libraw-tools-0.17.1-2.3.1 as a component of openSUSE Leap 42.2 libraw15-0.17.1-2.3.1 as a component of openSUSE Leap 42.2 An error within the "parse_tiff_ifd()" function (internal/dcraw_common.cpp) in LibRaw versions before 0.18.2 can be exploited to corrupt memory. CVE-2017-6886 openSUSE Leap 42.2:libraw-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-devel-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-devel-static-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-tools-0.17.1-2.3.1 openSUSE Leap 42.2:libraw15-0.17.1-2.3.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-05/msg00111.html https://www.suse.com/security/cve/CVE-2017-6886.html CVE-2017-6886 https://bugzilla.suse.com/1039380 SUSE Bug 1039380 A boundary error within the "parse_tiff_ifd()" function (internal/dcraw_common.cpp) in LibRaw versions before 0.18.2 can be exploited to cause a memory corruption via e.g. a specially crafted KDC file with model set to "DSLR-A100" and containing multiple sequences of 0x100 and 0x14A TAGs. CVE-2017-6887 openSUSE Leap 42.2:libraw-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-devel-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-devel-static-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-tools-0.17.1-2.3.1 openSUSE Leap 42.2:libraw15-0.17.1-2.3.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-05/msg00111.html https://www.suse.com/security/cve/CVE-2017-6887.html CVE-2017-6887 https://bugzilla.suse.com/1039379 SUSE Bug 1039379 An integer overflow error within the "foveon_load_camf()" function (dcraw_foveon.c) in LibRaw-demosaic-pack-GPL2 before 0.18.2 can be exploited to cause a heap-based buffer overflow. CVE-2017-6889 openSUSE Leap 42.2:libraw-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-devel-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-devel-static-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-tools-0.17.1-2.3.1 openSUSE Leap 42.2:libraw15-0.17.1-2.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-05/msg00111.html https://www.suse.com/security/cve/CVE-2017-6889.html CVE-2017-6889 https://bugzilla.suse.com/1039210 SUSE Bug 1039210 A boundary error within the "foveon_load_camf()" function (dcraw_foveon.c) when initializing a huffman table in LibRaw-demosaic-pack-GPL2 before 0.18.2 can be exploited to cause a stack-based buffer overflow. CVE-2017-6890 openSUSE Leap 42.2:libraw-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-devel-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-devel-static-0.17.1-2.3.1 openSUSE Leap 42.2:libraw-tools-0.17.1-2.3.1 openSUSE Leap 42.2:libraw15-0.17.1-2.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-05/msg00111.html https://www.suse.com/security/cve/CVE-2017-6890.html CVE-2017-6890 https://bugzilla.suse.com/1039209 SUSE Bug 1039209