Vulnerabilities > CVE-2013-2126 - Resource Management Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple double free vulnerabilities in the LibRaw::unpack function in libraw_cxx.cpp in LibRaw before 0.15.2 allow context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a malformed full-color (1) Foveon or (2) sRAW image file.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2013-13112.NASL description KDE released updates for its Workspaces, Applications, and Development Platform. These updates are the last in a series of monthly stabilization updates to the 4.10 series. 4.10.5 updates bring many bugfixes on top of the latest edition in the 4.10 series and are recommended updates for everyone running 4.10.4 or earlier versions. See also: http://kde.org/announcements/announce-4.10.5.php Fix for CVE-2013-2126, double-free flaw when handling damaged full-color in Foveon and sRAW files Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-24 plugin id 69027 published 2013-07-24 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69027 title Fedora 18 : analitza-4.10.5-1.fc18 / ark-4.10.5-1.fc18 / audiocd-kio-4.10.5-1.fc18 / etc (2013-13112) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1885-1.NASL description It was discovered that libKDcraw incorrectly handled broken full-color images. If a user or automated system were tricked into processing a specially crafted raw image, applications linked against libKDcraw could be made to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 66923 published 2013-06-19 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66923 title Ubuntu 12.04 LTS : libkdcraw vulnerability (USN-1885-1) NASL family Fedora Local Security Checks NASL id FEDORA_2013-9798.NASL description Fix for CVE-2013-2126, double-free flaw when handling damaged full-color in Foveon and sRAW files. Latest upstream, corrects gcc 4.8 issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-12 plugin id 67383 published 2013-07-12 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67383 title Fedora 17 : LibRaw-0.14.8-2.fc17 (2013-9798) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-538.NASL description This update of darktable fixes a problem inside the embedded libraw version. - Fix for CVE-2013-2126 - added backported patch from git master 0001-fixed-error-handling-for-broken-full-color-images.p atch fixes bnc#823114- last seen 2020-06-05 modified 2014-06-13 plugin id 75060 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75060 title openSUSE Security Update : darktable (openSUSE-SU-2013:1083-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201309-09.NASL description The remote host is affected by the vulnerability described in GLSA-201309-09 (LibRaw, libkdcraw: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibRaw and libkdcraw. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to open a specially crafted file, possibly resulting in arbitrary code execution or Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 69900 published 2013-09-15 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69900 title GLSA-201309-09 : LibRaw, libkdcraw: Multiple vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1884-1.NASL description It was discovered that LibRaw incorrectly handled broken full-color images. If a user or automated system were tricked into processing a specially crafted raw image, applications linked against LibRaw could be made to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 66922 published 2013-06-19 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66922 title Ubuntu 12.04 LTS / 12.10 / 13.04 : libraw vulnerability (USN-1884-1) NASL family Fedora Local Security Checks NASL id FEDORA_2013-13499.NASL description KDE released updates for its Workspaces, Applications, and Development Platform. These updates are the last in a series of monthly stabilization updates to the 4.10 series. 4.10.5 updates bring many bugfixes on top of the latest edition in the 4.10 series and are recommended updates for everyone running 4.10.4 or earlier versions. See also: http://kde.org/announcements/announce-4.10.5.php Fix for CVE-2013-2126, double-free flaw when handling damaged full-color in Foveon and sRAW files Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-31 plugin id 69153 published 2013-07-31 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69153 title Fedora 17 : analitza-4.10.5-1.fc17 / ark-4.10.5-1.fc17 / audiocd-kio-4.10.5-1.fc17 / etc (2013-13499) NASL family Fedora Local Security Checks NASL id FEDORA_2013-9773.NASL description Fix for CVE-2013-2126, double-free flaw when handling damaged full-color in Foveon and sRAW files. Latest upstream, corrects gcc 4.8 issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-12 plugin id 67377 published 2013-07-12 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67377 title Fedora 18 : LibRaw-0.14.8-2.fc18 (2013-9773) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-567.NASL description libkdcraw was updated to fix a possible double-free() on error recovery on damaged full-color (Foveon, sRAW) files. (CVE-2013-2126) last seen 2020-06-05 modified 2014-06-13 plugin id 75078 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75078 title openSUSE Security Update : libkdcraw (openSUSE-SU-2013:1168-1) NASL family Fedora Local Security Checks NASL id FEDORA_2013-13038.NASL description Fix for CVE-2013-2126, double-free flaw when handling damaged full-color in Foveon and sRAW files Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-24 plugin id 69026 published 2013-07-24 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69026 title Fedora 19 : libkdcraw-4.10.5-2.fc19 (2013-13038) NASL family Fedora Local Security Checks NASL id FEDORA_2013-9722.NASL description Fix for CVE-2013-2126, double-free flaw when handling damaged full-color in Foveon and sRAW files. Latest upstream, corrects gcc 4.8 issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-12 plugin id 67373 published 2013-07-12 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67373 title Fedora 19 : LibRaw-0.14.8-2.fc19 (2013-9722) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-537.NASL description This update of libraw fixes a security issue. - security update : - CVE-2013-2126.patch [bnc#822665] last seen 2020-06-05 modified 2014-06-13 plugin id 75059 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75059 title openSUSE Security Update : libraw (openSUSE-SU-2013:1085-1)
References
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00193.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00195.html
- http://secunia.com/advisories/53547
- http://secunia.com/advisories/53883
- http://secunia.com/advisories/53888
- http://secunia.com/advisories/53938
- http://www.libraw.org/news/libraw-0-15-2
- http://www.openwall.com/lists/oss-security/2013/05/29/7
- http://www.openwall.com/lists/oss-security/2013/06/10/1
- http://www.ubuntu.com/usn/USN-1884-1
- http://www.ubuntu.com/usn/USN-1885-1
- https://github.com/LibRaw/LibRaw/commit/19ffddb0fe1a4ffdb459b797ffcf7f490d28b5a6