Bug 837750 (CVE-2013-1438) - VUL-1: CVE-2013-1438 CVE-2013-1439: libraw: multiple denial of service flaws
Summary: VUL-1: CVE-2013-1438 CVE-2013-1439: libraw: multiple denial of service flaws
Status: RESOLVED UPSTREAM
Alias: CVE-2013-1438
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Thomas Renninger
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv3.1:SUSE:CVE-2013-1438:4.0:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-30 08:50 UTC by Matthias Weckbecker
Modified: 2021-05-31 16:42 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2013-08-30 08:50:51 UTC 
Specially crafted images could cause Denial of Service issues (looks like CPU
consumption rather than crash).

Commits:

  - https://github.com/LibRaw/LibRaw/commit/11909c
  - https://github.com/LibRaw/LibRaw/commit/9ae25d
Comment 1 Matthias Weckbecker 2013-08-30 08:51:23 UTC 
I think the following CVE were assigned:

  * CVE-2013-1438, and 
  * CVE-2013-1439
Comment 2 Swamp Workflow Management 2013-08-30 22:00:18 UTC 
bugbot adjusting priority
Comment 3 Thomas Renninger 2013-09-02 12:31:13 UTC 
Do we really need to release a maintenance update for this:
> looks like CPU consumption rather than crash

The patches are rather big. I would definitely not change the CFLAGS and similar stuff which were commented out in the patch.

I could add the
throw LIBRAW_EXCEPTION_IO_CORRUPT;
parts, but I won't be able to test this.
It also is not clear in which product this is needed (SLE11 SP3?).
Comment 4 Matthias Weckbecker 2013-09-17 10:34:44 UTC 
We always fix all maintained and affected products.
Comment 5 Marcus Meissner 2013-10-04 13:14:28 UTC 
no need for immediate action, we have it only on the planned updates list for collective updates later
Comment 6 Marcus Meissner 2013-10-04 13:16:59 UTC 
(is this really for Thomas who does libraw1394 , a firewire lirbary?

or more for Petr Gajdos, who does libraw? ;)
Comment 7 Thomas Renninger 2014-12-15 16:53:35 UTC 
I am closing this bug now.
It's more than a year old, rated low and probably fixed mainline for quite a while.