Your message dated Tue, 31 Jul 2018 12:19:19 +0000
with message-id <[email protected]>
and subject line Bug#721232: fixed in dcraw 9.28-1
has caused the Debian Bug report #721232,
regarding CVE-2013-1438: dcraw: multiple vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
721232: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721232
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libraw
Severity: important
Tags: security
Control: clone -1 -2 -3 -4 -5 -6 -7 -8 -9
Control: retitle -1 CVE-2013-1438: libraw: multiple vulnerabilities
Control: retitle -2 CVE-2013-1438: dcraw: multiple vulnerabilities
Control reassign -2 dcraw
Control: retitle -3 CVE-2013-1438: darktable: multiple vulnerabilities
Control reassign -3 darktable
Control: retitle -4 CVE-2013-1438: ufraw: multiple vulnerabilities
Control reassign -4 ufraw
Control: retitle -5 CVE-2013-1438: xbmc: multiple vulnerabilities
Control reassign -5 src:xbmc
Control: retitle -6 CVE-2013-1438: exactimage: multiple vulnerabilities
Control reassign -6 exactimage
Control: retitle -7 CVE-2013-1438: rawstudio: multiple vulnerabilities
Control reassign -7 rawstudio
Control: retitle -8 CVE-2013-1438: rawtherapee: multiple vulnerabilities
Control reassign -8 rawtherapee
Control: retitle -9 CVE-2013-1438: libkdcraw: multiple vulnerabilities
Control reassign -9 libkdcraw
Hi,
I found a few vulnerabilities in dcraw and are all covered by the
CVE-2013-1438 id:
"Specially crafted photo files may trigger a division by zero, an
infinite loop, or a null pointer dereference."
Alex Tutubalin, libraw upstream, has patched the vulnerabilities in
libraw and the patches should apply as-is to the vast majority of
embedders. For the details
http://www.openwall.com/lists/oss-security/2013/08/29/3
Please include the CVE id when fixing these vulnerabilities and
consider fixing them in old/stable via a {O,}SPU by following standard
procedures for stable release updates.
P.S. yes, the above Control list is annoying, but so is having so many
copies of the same code base in the archive.
Thanks,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
Source: dcraw
Source-Version: 9.28-1
We believe that the bug you reported is fixed in the latest version of
dcraw, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Filip Hroch <[email protected]> (supplier of updated dcraw package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 31 Jul 2018 11:13:05 +0200
Source: dcraw
Binary: dcraw
Architecture: source
Version: 9.28-1
Distribution: unstable
Urgency: low
Maintainer: Debian Astronomy Team
<[email protected]>
Changed-By: Filip Hroch <[email protected]>
Description:
dcraw - decode raw digital camera images
Closes: 721232 864168
Changes:
dcraw (9.28-1) unstable; urgency=low
.
* New upstream version.
* Updated to latest Debian standards.
* Updated autotools patch.
* Added lcms2 library into configure.ac (Ubuntu bug no.1611001).
* Added hardening options to debian/rules.
* Switch-on high level of optimisation as upstream author recommends.
* Removed obsolete --with-autoreconf option in debian/rules.
* Fixed the bug CVE-2013-1438: dcraw (multiple vulnerabilities) mostly
in JPEG/TIFF write routines. The patch has been applied by hand
to reflect latest upstream source code changes. Closes: #721232
* Fixed Index overflow in smal_decode_segment() bug. I patched also
by hand. No tests performed (no data available). Closes: #864168
* Funny false warning: lintian reports "spelling-error-in-binary
usr/bin/dcraw Optio Option". The character string is correct
designating Pentax Optio cameras.
Checksums-Sha1:
55efbdd767163bcdfe7a9de5b20e6beac223f5f1 1982 dcraw_9.28-1.dsc
8d340293d4d9e4de7818f2c18705ac3a299a0c1f 119126 dcraw_9.28.orig.tar.gz
f91d91d96070c2e151e4e7ee4f5f8cab6f210371 6847148 dcraw_9.28-1.debian.tar.xz
Checksums-Sha256:
f1496983f5ea7bf583127ea7f24c3e8fbb7e7a5284a59c31fde1faa23a60847d 1982
dcraw_9.28-1.dsc
3929fe8734db7129431531322d76401517b700cc5bab06f4ba2cd2aa0e303a93 119126
dcraw_9.28.orig.tar.gz
e4807f55e11bc2846dd9968fb2c8939eae9b487658391d5cd62f706f2f010c8d 6847148
dcraw_9.28-1.debian.tar.xz
Files:
0f74cb158b01506164f35d56749a36be 1982 graphics optional dcraw_9.28-1.dsc
7cc879c2a152d0727ff4d440e35a5f96 119126 graphics optional
dcraw_9.28.orig.tar.gz
225e4d142bb7ededf303b6a5308f8203 6847148 graphics optional
dcraw_9.28-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAltgMKcACgkQcRWv0HcQ
3PdQnBAA44V4O6i9PwFxA6anJCMRuQXP5tr/NAnEsHMW1n2MHSBteOgF7BCdcmN6
NTQL/H5F3a6e3ZqFKSqGKzR2ODvF++ummj/ZEZNmEq2vdwsCKg5l6w14Ez/Za1zb
/lGNHERaL+Xc9Zaf7aL+sddKMpIFb6G/sC8D5YyQOfYwx5Ygv+cSonoNeSug0Nx/
2qVNyCYJb9Hw4ViHKRS8y8MfR2/d50ajBXn7IhS6/nC1sBuThrgr8Bu7UPHQeOdw
pQlyjI5nIuJoWGzD5YOZor5Os+S9JosWnZsX5TckSkVEerEkfN+SDz0ljOnZO+d0
l6CVj6/6u4cKEf3tGCynWzPv0/nyRwXLM40CmyzDGqaX7cVy+7K6s1Zlak9YbZr8
B1mq1O0q0q/GhftawQg/i18k0U4nX2N38n8YZRAHey/qksYc4T+CDCyJ0OTvx6uC
A3YxeQjp1EsNDq8vc51g/M61E1cG/qCNOqMovhj0JbT/38ZF7iyjCj4H+TraOfKS
0kmhYRqO1Scagk/XWeNq779795uxGyRlfyZcr0PIM/atEUjHKnM0U1H/6rUWSKW2
3KZ7WS7LC067zDhk8iTucmH1c8MVDyomJDpwY4rRayv+CBKfzj/fhExhjmtjjKyP
KMydnOK4MX3dKbOOLIRIo00M6nScdnsZqUPchhoHxnpojWyIUTs=
=O4gb
-----END PGP SIGNATURE-----
--- End Message ---
