Bug 200194 - [security] graphics/libraw - CVE-2015-3885
Summary: [security] graphics/libraw - CVE-2015-3885
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Sergey A. Osokin
Depends on:
Reported: 2015-05-14 16:30 UTC by Sevan Janiyan
Modified: 2015-06-04 00:36 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (osa)

security/vuxml update for libraw (1.27 KB, patch)
2015-06-04 00:09 UTC, Jason Unovitch
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Chris Hutchinson 2015-05-14 16:50:10 UTC
Shouldn't this also include
graphics/dcraw/ and graphics/dcraw-m/ ?
Comment 2 Sevan Janiyan 2015-05-14 17:06:43 UTC
(In reply to Chris Hutchinson from comment #1)

Thanks for the heads up, actually it's applicable to the versions of dcraw, ufraw, rawtherapee, rawstudio, kodi, exact-image in ports/graphics.
I'll open separate bug reports for those now.
Comment 3 commit-hook freebsd_committer 2015-06-03 21:43:46 UTC
A commit references this bug:

Author: osa
Date: Wed Jun  3 21:43:44 UTC 2015
New revision: 388490
URL: https://svnweb.freebsd.org/changeset/ports/388490

  Security upgrade from 0.16.0 to 0.16.2.

  PR:	200194


  2015-05-16 Alex Tutubalin <lexa@lexa.ru>
    * Fix for several problems reported by AFL run
    * LibRaw 0.16.2-Release

  2015-05-11 Alex Tutubalin <lexa@lexa.ru>
    * Fix for dcraw ljpeg_start() vulnerability
    * LibRaw 0.16.1-Release


Comment 4 Sergey A. Osokin freebsd_committer 2015-06-03 21:47:47 UTC
Upgraded to 0.16.2, thanks for report.
Comment 5 Jason Unovitch freebsd_committer 2015-06-04 00:09:46 UTC
Created attachment 157397 [details]
security/vuxml update for libraw

Patch for extending vuxml to cover this is attached. Can we get that in before we close the books on this PR?

 - Add libraw to 57325ecf-facc-11e4-968f-b888e347c638
 - Update entry dates for newly added entry.

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libraw-0.16.0
libraw-0.16.0 is vulnerable:
kodi, libraw, rawstudio, and ufraw -- integer overflow condition
CVE: CVE-2015-3885
WWW: http://vuxml.FreeBSD.org/freebsd/57325ecf-facc-11e4-968f-b888e347c638.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libraw-0.16.2
0 problem(s) in the installed packages found.
Comment 6 Sergey A. Osokin freebsd_committer 2015-06-04 00:36:30 UTC
Comment 7 commit-hook freebsd_committer 2015-06-04 00:36:59 UTC
A commit references this bug:

Author: osa
Date: Thu Jun  4 00:35:59 UTC 2015
New revision: 388491
URL: https://svnweb.freebsd.org/changeset/ports/388491

  Update information for graphics/libraw.

  PR:	200194