New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
It exists heap-buffer-overflow when use function raw2image() #195
Comments
|
OK, for strange reason I see only partial patch (previous one) in raw2image, will revisit github copy today. |
|
This is CVE-2018-20365 |
|
CVE-2018-20363, CVE-2018-20364, CVE-2018-20365 - all three are assigned for the same problem |
|
Hi
On Sun, Dec 23, 2018 at 09:46:11PM -0800, LibRaw LLC wrote:
CVE-2018-20363, CVE-2018-20364, CVE-2018-20365 - all three are
assigned for the same problem
I'm just the messenger of the CVE while investigating some CVEs.
I noticed that MITRE has assigned the following set:
CVE-2018-20363:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20363
- #193
CVE-2018-20364:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20364
- #194
CVE-2018-20365:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20365
- #195
Do you mean the underlying issue of all those is the same and is the
once covered by #195?
Thanks already for your help and clarification to pin point the
issues.
|
|
I see single problem: due to inconsistency in Sinar 4-shot files handling (introduced in current development branch), it is possible to read full-color data in one place, while try to read single-color data in another. Please note
Also, in #193 discussion I see traces of some another problem, but I do not have POC (and I'm not sure that reporter has recompiled LibRaw after git pull). Right now I assume that sinar-4-shot related case (all three CVEs) is resolved. |
|
thanks for the detailed reply. With |
|
This sample is refused under windows (my primary dev. env), as it should. Anyway, master-branch fix is backported to 0.19.2, so 0.19.2 should process it safely (tested w/ FreeBSD, sorry no Linux here). |
|
Apologize, what commit actually is supposed to fix this issue? With 0.19.2 I get for given testcase: |
|
OK, got it. |
|
This patch should fix it: a7c17cb I do not consider this problem as serious as the original one, because it affects only half_size=1 case. |
|
This patch on top of 0.19.2 fixes the issue. |
Description
It exists heap-buffer-overflow in LibRaw::raw2image() src/libraw_cxx.cpp:3423
My test program
4channels in Libraw/bin
Command and argument
./4channels 4channels_crash
Crash Information
The output of exampletest with address sanitizer enabled
Version
the commit is 7e29b9f
POC File
crash.zip
CREDIT
pu!m,Weiran Labs
The text was updated successfully, but these errors were encountered: