Security update for libraw SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:3392-1 Final 1 1 2017-12-21T07:30:43Z current 2017-12-21T07:30:43Z 2017-12-21T07:30:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libraw This update for libraw fixes the following issues: Security issues fixed: - CVE-2017-13735: A floating point exception in kodak_radc_load_raw could be used by attackers to crash a libraw using application (bsc#1060321) - CVE-2017-14608: An out-of-bounds read in the kodak_65000_load_raw function could be used for crashing or information leak from the libraw library (bsc#1063798) - CVE-2017-16909: Fix heap-buffer overflow in the LibRaw::panasonic_load_raw() function (bsc#1072385). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP2-2017-2126,SUSE-SLE-DESKTOP-12-SP3-2017-2126,SUSE-SLE-SDK-12-SP2-2017-2126,SUSE-SLE-SDK-12-SP3-2017-2126,SUSE-SLE-WE-12-SP2-2017-2126,SUSE-SLE-WE-12-SP3-2017-2126 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20173392-1/ Link for SUSE-SU-2017:3392-1 https://lists.suse.com/pipermail/sle-security-updates/2017-December/003548.html E-Mail link for SUSE-SU-2017:3392-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1060321 SUSE Bug 1060321 https://bugzilla.suse.com/1063798 SUSE Bug 1063798 https://bugzilla.suse.com/1072385 SUSE Bug 1072385 https://www.suse.com/security/cve/CVE-2017-13735/ SUSE CVE CVE-2017-13735 page https://www.suse.com/security/cve/CVE-2017-14608/ SUSE CVE CVE-2017-14608 page https://www.suse.com/security/cve/CVE-2017-16909/ SUSE CVE CVE-2017-16909 page SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Software Development Kit 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP3 SUSE Linux Enterprise Workstation Extension 12 SP2 SUSE Linux Enterprise Workstation Extension 12 SP3 libraw9-0.15.4-16.1 libraw-devel-0.15.4-16.1 libraw-devel-static-0.15.4-16.1 libraw9-0.15.4-16.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 libraw9-0.15.4-16.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 libraw-devel-0.15.4-16.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 libraw-devel-static-0.15.4-16.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 libraw9-0.15.4-16.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 libraw-devel-0.15.4-16.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 libraw-devel-static-0.15.4-16.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 libraw9-0.15.4-16.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 libraw9-0.15.4-16.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP2 libraw9-0.15.4-16.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP3 There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack. CVE-2017-13735 SUSE Linux Enterprise Desktop 12 SP2:libraw9-0.15.4-16.1 SUSE Linux Enterprise Desktop 12 SP3:libraw9-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP2:libraw-devel-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP2:libraw-devel-static-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP2:libraw9-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libraw-devel-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libraw-devel-static-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libraw9-0.15.4-16.1 SUSE Linux Enterprise Workstation Extension 12 SP2:libraw9-0.15.4-16.1 SUSE Linux Enterprise Workstation Extension 12 SP3:libraw9-0.15.4-16.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173392-1/ https://www.suse.com/security/cve/CVE-2017-13735.html CVE-2017-13735 https://bugzilla.suse.com/1056170 SUSE Bug 1056170 https://bugzilla.suse.com/1060321 SUSE Bug 1060321 In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_65000_load_raw has been reported in dcraw/dcraw.c and internal/dcraw_common.cpp. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. CVE-2017-14608 SUSE Linux Enterprise Desktop 12 SP2:libraw9-0.15.4-16.1 SUSE Linux Enterprise Desktop 12 SP3:libraw9-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP2:libraw-devel-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP2:libraw-devel-static-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP2:libraw9-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libraw-devel-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libraw-devel-static-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libraw9-0.15.4-16.1 SUSE Linux Enterprise Workstation Extension 12 SP2:libraw9-0.15.4-16.1 SUSE Linux Enterprise Workstation Extension 12 SP3:libraw9-0.15.4-16.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173392-1/ https://www.suse.com/security/cve/CVE-2017-14608.html CVE-2017-14608 https://bugzilla.suse.com/1063798 SUSE Bug 1063798 An error related to the "LibRaw::panasonic_load_raw()" function (dcraw_common.cpp) in LibRaw versions prior to 0.18.6 can be exploited to cause a heap-based buffer overflow and subsequently cause a crash via a specially crafted TIFF image. CVE-2017-16909 SUSE Linux Enterprise Desktop 12 SP2:libraw9-0.15.4-16.1 SUSE Linux Enterprise Desktop 12 SP3:libraw9-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP2:libraw-devel-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP2:libraw-devel-static-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP2:libraw9-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libraw-devel-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libraw-devel-static-0.15.4-16.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libraw9-0.15.4-16.1 SUSE Linux Enterprise Workstation Extension 12 SP2:libraw9-0.15.4-16.1 SUSE Linux Enterprise Workstation Extension 12 SP3:libraw9-0.15.4-16.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173392-1/ https://www.suse.com/security/cve/CVE-2017-16909.html CVE-2017-16909 https://bugzilla.suse.com/1072385 SUSE Bug 1072385