Security update for libraw SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0008-1 Final 1 1 2019-03-23T10:42:07Z current 2019-03-23T10:42:07Z 2019-03-23T10:42:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libraw This update for libraw fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-5813: Fixed an error within the 'parse_minolta()' function (dcraw/dcraw.c) that could be exploited to trigger an infinite loop via a specially crafted file. This could be exploited to cause a DoS.(boo#1103200). - CVE-2018-5815: Fixed an integer overflow in the internal/dcraw_common.cpp:parse_qt() function, that could be exploited to cause an infinite loop via a specially crafted Apple QuickTime file. (boo#1103206) - CVE-2018-5804,CVE-2018-5816: Fixed a type confusion error in the identify function (bsc#1097975) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-8 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00003.html E-Mail link for openSUSE-SU-2019:0008-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1097975 SUSE Bug 1097975 https://bugzilla.suse.com/1103200 SUSE Bug 1103200 https://bugzilla.suse.com/1103206 SUSE Bug 1103206 https://www.suse.com/security/cve/CVE-2018-5804/ SUSE CVE CVE-2018-5804 page https://www.suse.com/security/cve/CVE-2018-5813/ SUSE CVE CVE-2018-5813 page https://www.suse.com/security/cve/CVE-2018-5815/ SUSE CVE CVE-2018-5815 page https://www.suse.com/security/cve/CVE-2018-5816/ SUSE CVE CVE-2018-5816 page openSUSE Leap 15.0 libraw-devel-0.18.9-lp150.2.3.1 libraw-devel-static-0.18.9-lp150.2.3.1 libraw-tools-0.18.9-lp150.2.3.1 libraw16-0.18.9-lp150.2.3.1 libraw-devel-0.18.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 libraw-devel-static-0.18.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 libraw-tools-0.18.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 libraw16-0.18.9-lp150.2.3.1 as a component of openSUSE Leap 15.0 A type confusion error within the "identify()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to trigger a division by zero. CVE-2018-5804 openSUSE Leap 15.0:libraw-devel-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw-devel-static-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw-tools-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw16-0.18.9-lp150.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00003.html https://www.suse.com/security/cve/CVE-2018-5804.html CVE-2018-5804 https://bugzilla.suse.com/1097975 SUSE Bug 1097975 An error within the "parse_minolta()" function (dcraw/dcraw.c) in LibRaw versions prior to 0.18.11 can be exploited to trigger an infinite loop via a specially crafted file. CVE-2018-5813 openSUSE Leap 15.0:libraw-devel-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw-devel-static-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw-tools-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw16-0.18.9-lp150.2.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00003.html https://www.suse.com/security/cve/CVE-2018-5813.html CVE-2018-5813 https://bugzilla.suse.com/1103200 SUSE Bug 1103200 An integer overflow error within the "parse_qt()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger an infinite loop via a specially crafted Apple QuickTime file. CVE-2018-5815 openSUSE Leap 15.0:libraw-devel-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw-devel-static-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw-tools-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw16-0.18.9-lp150.2.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00003.html https://www.suse.com/security/cve/CVE-2018-5815.html CVE-2018-5815 https://bugzilla.suse.com/1103206 SUSE Bug 1103206 An integer overflow error within the "identify()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger a division by zero via specially crafted NOKIARAW file (Note: This vulnerability is caused due to an incomplete fix of CVE-2018-5804). CVE-2018-5816 openSUSE Leap 15.0:libraw-devel-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw-devel-static-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw-tools-0.18.9-lp150.2.3.1 openSUSE Leap 15.0:libraw16-0.18.9-lp150.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00003.html https://www.suse.com/security/cve/CVE-2018-5816.html CVE-2018-5816 https://bugzilla.suse.com/1097975 SUSE Bug 1097975