Vulnerabilities > CVE-2013-1438 - NULL Pointer Dereference Denial of Service vulnerability in LibRaw
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Unspecified vulnerability in dcraw 0.8.x through 0.8.9, as used in libraw, ufraw, shotwell, and other products, allows context-dependent attackers to cause a denial of service via a crafted photo file that triggers a (1) divide-by-zero, (2) infinite loop, or (3) NULL pointer dereference.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1978-1.NASL description It was discovered that libKDcraw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, applications linked against libKDcraw could be made to crash, resulting in a denial of service. (CVE-2013-1438, CVE-2013-1439). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 70253 published 2013-10-01 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70253 title Ubuntu 12.04 LTS : libkdcraw vulnerabilities (USN-1978-1) NASL family Fedora Local Security Checks NASL id FEDORA_2013-22924.NASL description This update hardens ufraw against corrupt input files which might trigger a division by zero, an infinite loop, or a NULL pointer dereference otherwise. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-17 plugin id 71481 published 2013-12-17 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71481 title Fedora 19 : ufraw-0.19.2-10.fc19 (2013-22924) NASL family Fedora Local Security Checks NASL id FEDORA_2013-15576.NASL description Raphael Geissert reported two denial of service flaws in LibRaw [1] : CVE-2013-1438 : Specially crafted photo files may trigger a division by zero, an infinite loop, or a NULL pointer dereference in libraw leading to denial of service in applications using the library. These vulnerabilities appear to originate in dcraw and as such any program or library based on it is affected. To name a few confirmed applications: dcraw, ufraw. Other affected software: shotwell, darktable, and libkdcraw (Qt-style interface to libraw, using embedded copy) which is used by digikam. Google Picasa apparently uses dcraw/ufraw so it might be affected. dcraw last seen 2020-03-17 modified 2013-09-10 plugin id 69821 published 2013-09-10 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69821 title Fedora 18 : LibRaw-0.14.8-3.fc18.20120830git98d925 (2013-15576) NASL family Fedora Local Security Checks NASL id FEDORA_2013-22899.NASL description This update hardens ufraw against corrupt input files which might trigger a division by zero, an infinite loop, or a NULL pointer dereference otherwise. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-17 plugin id 71479 published 2013-12-17 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71479 title Fedora 18 : ufraw-0.19.2-10.fc18 (2013-22899) NASL family Fedora Local Security Checks NASL id FEDORA_2013-22900.NASL description This update hardens dcraw against corrupt input files which might trigger a division by zero, an infinite loop, or a NULL pointer dereference otherwise. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-17 plugin id 71480 published 2013-12-17 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71480 title Fedora 19 : dcraw-9.19-4.fc19 (2013-22900) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201309-09.NASL description The remote host is affected by the vulnerability described in GLSA-201309-09 (LibRaw, libkdcraw: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibRaw and libkdcraw. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to open a specially crafted file, possibly resulting in arbitrary code execution or Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 69900 published 2013-09-15 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69900 title GLSA-201309-09 : LibRaw, libkdcraw: Multiple vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-249.NASL description Updated libraw packages fix security vulnerabilities : It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, applications linked against LibRaw could be made to crash, resulting in a denial of service (CVE-2013-1438, CVE-2013-1439). last seen 2020-06-01 modified 2020-06-02 plugin id 70385 published 2013-10-11 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70385 title Mandriva Linux Security Advisory : libraw (MDVSA-2013:249) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2754.NASL description It was discovered that exactimage, a fast image processing library, does not correctly handle error conditions of the embedded copy of dcraw. This could result in a crash or other behaviour in an application using the library due to an uninitialized variable being passed to longjmp. This is a different issue than CVE-2013-1438/DSA-2748-1. last seen 2020-03-17 modified 2013-09-11 plugin id 69841 published 2013-09-11 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69841 title Debian DSA-2754-1 : exactimage - denial of service NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1964-1.NASL description It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, applications linked against LibRaw could be made to crash, resulting in a denial of service. (CVE-2013-1438, CVE-2013-1439). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 70086 published 2013-09-24 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70086 title Ubuntu 12.04 LTS / 12.10 / 13.04 : libraw vulnerabilities (USN-1964-1) NASL family Fedora Local Security Checks NASL id FEDORA_2013-22929.NASL description This update hardens dcraw against corrupt input files which might trigger a division by zero, an infinite loop, or a NULL pointer dereference otherwise. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-17 plugin id 71482 published 2013-12-17 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71482 title Fedora 18 : dcraw-9.19-4.fc18 (2013-22929) NASL family Fedora Local Security Checks NASL id FEDORA_2013-15562.NASL description Raphael Geissert reported two denial of service flaws in LibRaw [1] : CVE-2013-1438 : Specially crafted photo files may trigger a division by zero, an infinite loop, or a NULL pointer dereference in libraw leading to denial of service in applications using the library. These vulnerabilities appear to originate in dcraw and as such any program or library based on it is affected. To name a few confirmed applications: dcraw, ufraw. Other affected software: shotwell, darktable, and libkdcraw (Qt-style interface to libraw, using embedded copy) which is used by digikam. Google Picasa apparently uses dcraw/ufraw so it might be affected. dcraw last seen 2020-03-17 modified 2013-09-10 plugin id 69820 published 2013-09-10 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69820 title Fedora 19 : LibRaw-0.14.8-3.fc19.20120830git98d925 (2013-15562) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-098.NASL description Updated rawtherapee package fixes security vulnerability : Due to flaws in the embedded copy of dcraw in rawtherapee, corrupt input files might trigger a division by zero, an infinite loop, or a NULL pointer dereference (CVE-2013-1438). last seen 2020-06-01 modified 2020-06-02 plugin id 74076 published 2014-05-19 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74076 title Mandriva Linux Security Advisory : rawtherapee (MDVSA-2014:098) NASL family Fedora Local Security Checks NASL id FEDORA_2013-22832.NASL description This update hardens ufraw against corrupt input files which might trigger a division by zero, an infinite loop, or a NULL pointer dereference otherwise. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-18 plugin id 71503 published 2013-12-18 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71503 title Fedora 20 : ufraw-0.19.2-10.fc20 (2013-22832) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2748.NASL description Several denial-of-service vulnerabilities were discovered in the dcraw code base, a program for procesing raw format images from digital cameras. This update corrects them in the copy that is embedded in the exactimage package. last seen 2020-03-17 modified 2013-09-02 plugin id 69523 published 2013-09-02 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69523 title Debian DSA-2748-1 : exactimage - denial of service NASL family Fedora Local Security Checks NASL id FEDORA_2013-22854.NASL description This update hardens dcraw against corrupt input files which might trigger a division by zero, an infinite loop, or a NULL pointer dereference otherwise. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-18 plugin id 71504 published 2013-12-18 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71504 title Fedora 20 : dcraw-9.19-4.fc20 (2013-22854)