Debian LTS: DLA-3113-1: libraw security update
Summary
-------------------------------------------------------------------------Debian LTS Advisory DLA-3113-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Helmut Grohne September 16, 2022 https://wiki.debian.org/LTS -------------------------------------------------------------------------Package : libraw Version : 0.19.2-2+deb10u1 CVE ID : CVE-2020-35530 CVE-2020-35531 CVE-2020-35532 CVE-2020-35533 Multiple file parsing vulnerabilities have been fixed in libraw. They are concerned with the dng and x3f formats. CVE-2020-35530 There is an out-of-bounds write vulnerability within the "new_node()" function (src/x3f/x3f_utils_patched.cpp) that can be triggered via a crafted X3F file. Reported by github user 0xfoxone. CVE-2020-35531 An out-of-bounds read vulnerability exists within the get_huffman_diff() function (src/x3f/x3f_utils_patched.cpp) when reading data from an image file. Reported by github user GirlElecta. CVE-2020-35532 An out-of-bounds read vulnerability exists within the "simple_decode_row()" function (src/x3f/x3f_utils_patched.cpp) which can be triggered via an image with a large row_stride field. Reported by github user GirlElecta. CVE-2020-35533 An out-of-bounds read vulnerability exists within the "LibRaw::adobe_copy_pixel()" function (src/decoders/dng.cpp) when reading data from the image file. Reported by github user GirlElecta. For Debian 10 buster, these problems have been fixed in version 0.19.2-2+deb10u1. We recommend that you upgrade your libraw packages. For the detailed security status of libraw please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/libraw Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS