From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4BA78158094 for ; Wed, 10 Aug 2022 04:41:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9D1BDE0B9A; Wed, 10 Aug 2022 04:36:09 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 054EBE0871 for ; Wed, 10 Aug 2022 04:06:22 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id 19E4333E3A9 for ; Wed, 10 Aug 2022 04:06:21 +0000 (UTC) Received: from [172.24.0.3] (unknown [172.24.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id E15C9B502F for ; Wed, 10 Aug 2022 04:06:20 +0000 (-00) Subject: [gentoo-announce] [ GLSA 202208-07 ] LibRaw: Stack buffer overread Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============5525318439506084031==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Wed, 10 Aug 2022 04:06:20 -0000 Message-ID: <166010438091.7.12662075917553131088@fa4d926cc35c> X-Archives-Salt: 7e76650c-c5a7-452a-8f3d-c44704c4139e X-Archives-Hash: fc0a16258c47ae7ee2e048ee15c817cd --===============5525318439506084031== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202208-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: LibRaw: Stack buffer overread Date: August 10, 2022 Bugs: #793956 ID: 202208-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A buffer overread in LibRaw might allow an attacker to cause denial of service. Background ========== LibRaw is a library for reading RAW files obtained from digital photo cameras. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/libraw < 0.20.2 >= 0.20.2 Description =========== LibRaw incorrectly handles parsing DNG fields in some cases, potentially resulting in a buffer overread leading to denial of service. Impact ====== An attacker capable of providing crafted input to LibRaw could trigger denial of service. Workaround ========== There is no known workaround at this time. Resolution ========== All LibRaw users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libraw-0.20.2" References ========== [ 1 ] CVE-2020-24870 https://nvd.nist.gov/vuln/detail/CVE-2020-24870 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202208-07 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============5525318439506084031== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmLzLrwACgkQFMQkOaVy +9nFDA/9FLtrkKU0CYSObwB/vaPDohkkgiX2SIbQrzS8E54GHQ8tMBaQurP1XyEo iOB8CmMGoSKSx15MkhnpI/Uw9fMkh9fL1elxPC3S4TrO3qsYeigb2nlO4U7hEMvI U/c4D+h2ZSgbyG1KhXiZWulQ6o0mj9yWBFUT3GQvhWei0S3bRsRL4yxeVwO0o+Lj 32V5r5jiBTf+qLthUWNBHQzAmfM3PxVNTh97/+k0k8LtmdW8mriBfwVMmXkKzMPV uaxWdEdj76Lh57ToIq9AjlJLA72PtlnJNbp0p3qsI0sBfzBG6EyseefngyBauDJt TqupYaMv07RteDPyIlYYRZocQtbLqZUVQjFckIHPBM00Rhs1V2xto0ZP/L/X2VEL TdoGGSA9Vx/MclJgoP6tZTAIYeRtUFcbtJ4HwK5GO9qozAYZiDDUznxdQxaX8qGY 2RyLGUWs4HvXR61y0jmUr0D9dVg9prg3b5Idgdq9U4J/XVl+Uy+ts67IszTM0CmR qzmVUZUMhoUzdxsU1DZGF7jIe4+2iE2yz/k/lrGVnxuIETyp0006mudTGHM8U3Hw sf9wUJfsGYDd+L2XIhozO+BsDKcWlmCSep1qGe+lJUxCwaTJrWw2n7XmjLLcH7Jo N5Jzn9pa058SCMC7L5DzL5tPOG5IZ7NW32tKGDa3yhEo9j9sqmY= =CKYO -----END PGP SIGNATURE----- --===============5525318439506084031==--