[cximage] Fix denial of service via a crafted photo file (CVE-2013-1438) #4179

Merged
merged 1 commit into from Feb 9, 2014

Projects

None yet

4 participants

Member
anssih commented Feb 9, 2014

Embedded CxImage embeds a copy of libDCR, a fork of dcraw.c, which
contains several denial of service vulnerabilities as discovered by
Raphael Geissert. These seem to affect the CxImage-embedded libDCR as
well.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438
Unspecified vulnerability in dcraw 0.8.x through 0.8.9, as used in
libraw, ufraw, shotwell, and other products, allows context-dependent
attackers to cause a denial of service via a crafted photo file that
triggers a (1) divide-by-zero, (2) infinite loop, or (3) NULL pointer
dereference.

Port the fix from libRaw [1] to CxImage copy of libDCR. The patch has
been submitted upstream.

[1] LibRaw/LibRaw@9ae25d8

I've performed only very minimal testing, and I don't know of any affected sample file.

@anssih anssih [cximage] Fix denial of service via a crafted photo file (CVE-2013-1438)
Embedded CxImage embeds a copy of libDCR, a fork of dcraw.c, which
contains several denial of service vulnerabilities as discovered by
Raphael Geissert. These seem to affect the CxImage-embedded libDCR as
well.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1438
----
Unspecified vulnerability in dcraw 0.8.x through 0.8.9, as used in
libraw, ufraw, shotwell, and other products, allows context-dependent
attackers to cause a denial of service via a crafted photo file that
triggers a (1) divide-by-zero, (2) infinite loop, or (3) NULL pointer
dereference.
----

Port the fix from libRaw [1] to CxImage copy of libDCR. The patch has
been submitted upstream.

[1]
LibRaw/LibRaw@9ae25d8
d13aee8
@MartijnKaijser MartijnKaijser added this to the Pending for inclusion milestone Feb 9, 2014
Member

Looks fine. jenkins build this please

Owner

should we also add this as separate patch file for future reference?

Member
anssih commented Feb 9, 2014

@MartijnKaijser We have a lot of other commits in our cximage as well and those are not as separate patch files. If we want to have them as patch files, we should add them all in a single commit, unrelated to this PR, IMO. (if we add just this one, there would be confusion on whether this is the only patch we have)

Owner

yes that would make more sense indeed. didn't know current state so hence the suggestion.

@jmarshallnz jmarshallnz merged commit 178000c into xbmc:master Feb 9, 2014

1 check failed

default Merged build #173 failed in 38 min
Details
Member

this broke cr2 format on Windows (still working on linux) see forum http://forum.xbmc.org/showthread.php?tid=202552
reverting this commit makes it work again

Member

Weird. Are you able to narrow it down more? (I don't have a Win dev system)

I'll try to look through later upstream commits tomorrow or so to see if they had anything like that...

Member

already done: #5263
those two line were inserted in line 932 instead of 923

Member

Hmh... IIRC I first ported some other (apparently bad?) version of this patch that differed from the libraw patch in some ways (e.g. tiff_ifd[i].width and .height were checked individually) and then replaced it with the LibRaw version, but I guess I must have missed one hunk :/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment