Debian LTS: Security Advisory for libraw (DLA-2903-1)

The remote host is missing an update for the 'libraw' package(s) announced via the DLA-2903-1 advisory.

Several vulnerabilities have been discovered in libraw that may lead to the execution of arbitrary code, denial of service, or information leaks. CVE-2017-13735 There is a floating point exception in the kodak_radc_load_raw function. It will lead to a remote denial of service attack. CVE-2017-14265 A Stack-based Buffer Overflow was discovered in xtrans_interpolate method. It could allow a remote denial of service or code execution attack. CVE-2017-14348 There is a heap-based Buffer Overflow in the processCanonCameraInfo function. CVE-2017-14608 An out of bounds read flaw related to kodak_65000_load_raw has been reported in libraw. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. CVE-2017-16909 An error related to the 'LibRaw::panasonic_load_raw()' function can be exploited to cause a heap-based buffer overflow and subsequently cause a crash via a specially crafted TIFF image. xtrans_interpolate method. It could allow a remote denial of service or code execution attack. CVE-2017-16910 An error within the 'LibRaw::xtrans_interpolate()' function can be exploited to cause an invalid read memory access and subsequently a Denial of Service condition. CVE-2018-5800 An off-by-one error within the 'LibRaw::kodak_ycbcr_load_raw()' function can be exploited to cause a heap-based buffer overflow and subsequently cause a crash. CVE-2018-5801 An error within the 'LibRaw::unpack()' function can be exploited to trigger a NULL pointer dereference. CVE-2018-5802 An error within the 'kodak_radc_load_raw()' function can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. CVE-2018-5804 A type confusion error within the 'identify()' function can be exploited to trigger a division by zero. CVE-2018-5805 A boundary error within the 'quicktake_100_load_raw()' function can be exploited to cause a stack-based buffer overflow and subsequently cause a crash. CVE-2018-5806 An error within the 'leaf_hdr_load_raw()' function can be exploited to trigger a NULL pointer dereference. CVE-2018-5807 An error within the 'samsung_load_raw()' function can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. CVE-2018-5808 An error within the 'find_green()' function can be exploited to cause a stack-based buffer overflow and subsequently execute arbitrary code. CVE-2018-5810 An error within the 'rollei_load_raw()' function can be exploited to cause a heap-based buffer overflow and subsequently cause a crash. CVE-2018-5811 An error within the 'nikon_coolsc ... Description truncated. Please see the references for more information.

'libraw' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For Debian 9 stretch, these problems have been fixed in version 0.17.2-6+deb9u2. We recommend that you upgrade your libraw packages.