SB2018051007 - Arch Linux update for libraw

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018051007

SB2018051007 - Arch Linux update for libraw

Published: May 10, 2018 Updated: December 10, 2018

Security Bulletin ID SB2018051007
Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Stack-based buffer overflow (CVE-ID: CVE-2018-10528)

The vulnerability allows a local attacker to cause DoS condition on the target system.

The weakness exists in the X3F parser due to a stack-based buffer overflow condition in the utf2char function, as defined in the libraw_cxx.cpp file. A local attacker can execute a specially crafted file and cause the service to crash.

2) Out-of-bounds read (CVE-ID: CVE-2018-10529)

The vulnerability allows a local attacker to cause DoS condition on the target system.

The weakness exists in the X3F parser due to an out-of-bounds read condition in the X3F property table list implementation in the libraw_x3f.cpp and libraw_cxx.cppfiles. A local attacker can execute a specially crafted file and cause the service to crash.

3) Infinite loop (CVE-ID: CVE-2018-5813)

The vulnerability allows a remote attacker to cause DoS condition.

The vulnerability exists due to due to improper parsing of files by the parse_minolta() function, as defined in the dcraw.c source code file of the affected software. A remote attacker can send trick the victim into accessing a file that submits malicious input, trigger an infinite loop condition that causes the affected software to crash or become unresponsive.


Remediation

Install update from vendor's website.

References