Vulnerabilities > CVE-2015-8367 - Improper Initialization vulnerability in Libraw
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The phase_one_correct function in Libraw before 0.17.1 allows attackers to cause memory errors and possibly execute arbitrary code, related to memory object initialization.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-60.NASL description The remote host is affected by the vulnerability described in GLSA-201701-60 (LibRaw: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibRaw. Please review the CVE identifiers referenced below for details. Impact : An attacker could execute arbitrary code, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96746 published 2017-01-25 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96746 title GLSA-201701-60 : LibRaw: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201701-60. # # The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(96746); script_version("3.3"); script_cvs_date("Date: 2020/01/22"); script_cve_id("CVE-2015-3885", "CVE-2015-8366", "CVE-2015-8367"); script_xref(name:"GLSA", value:"201701-60"); script_name(english:"GLSA-201701-60 : LibRaw: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201701-60 (LibRaw: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibRaw. Please review the CVE identifiers referenced below for details. Impact : An attacker could execute arbitrary code, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201701-60" ); script_set_attribute( attribute:"solution", value: "All LibRaw users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=media-libs/libraw-0.17.1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:libraw"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/19"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/25"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"media-libs/libraw", unaffected:make_list("ge 0.17.1"), vulnerable:make_list("lt 0.17.1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "LibRaw"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1264.NASL description This update for libraw fixes the following issues : - CVE-2015-8367: Memory objects are not intialized properly (boo#957517). last seen 2020-06-05 modified 2016-11-07 plugin id 94597 published 2016-11-07 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94597 title openSUSE Security Update : libraw (openSUSE-2016-1264) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2016-1264. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(94597); script_version("2.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-8367"); script_name(english:"openSUSE Security Update : libraw (openSUSE-2016-1264)"); script_summary(english:"Check for the openSUSE-2016-1264 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for libraw fixes the following issues : - CVE-2015-8367: Memory objects are not intialized properly (boo#957517)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=957517" ); script_set_attribute( attribute:"solution", value:"Update the affected libraw packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw-devel-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw10-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/14"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.1", reference:"libraw-debugsource-0.16.2-4.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libraw-devel-0.16.2-4.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libraw-devel-static-0.16.2-4.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libraw-tools-0.16.2-4.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libraw-tools-debuginfo-0.16.2-4.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libraw10-0.16.2-4.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libraw10-debuginfo-0.16.2-4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libraw-debugsource / libraw-devel / libraw-devel-static / etc"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2015-D2FC332108.NASL description Patch for CVE-2015-8366, CVE-2015-8367 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-04 plugin id 89421 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89421 title Fedora 23 : LibRaw-0.16.2-3.fc23 (2015-d2fc332108) NASL family Fedora Local Security Checks NASL id FEDORA_2015-A288773B9A.NASL description Patch for CVE-2015-8366, CVE-2015-8367 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-04 plugin id 89348 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89348 title Fedora 22 : LibRaw-0.16.2-3.fc22 (2015-a288773b9a) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6BC6EED29CCA11E58C2BC335FA8985D7.NASL description ChenQin reports : The LibRaw raw image decoder has multiple vulnerabilities that can cause memory errors which may lead to code execution or other problems. In CVE-2015-8367, LibRaw last seen 2020-06-01 modified 2020-06-02 plugin id 87225 published 2015-12-08 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87225 title FreeBSD : libraw -- memory objects not properly initialized (6bc6eed2-9cca-11e5-8c2b-c335fa8985d7) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-900.NASL description This update fixes the following security issue : - CVE-2015-8367 - It was found that phase_one_correct function does not handle memory object’s initialization correctly, which may have unspecified impact (bsc#957517). last seen 2020-06-05 modified 2015-12-17 plugin id 87444 published 2015-12-17 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87444 title openSUSE Security Update : libraw (openSUSE-2015-900) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2300-1.NASL description This update for libraw fixes the following issues : - CVE-2015-3885: A specially crafted raw image file could have caused a Denial of Service through an integer overflow. (bsc#930683) - CVE-2015-8367: The function phase_one_correct() did not handle memory object initialization correctly, which may have caused some other problems. (bsc#957517) - CVE-2017-6886: memory corruption in parse_tiff_ifd() func (internal/dcraw_common.cpp) could lead to Denial of service (bsc#1039380) - CVE-2017-6889: integer overflow error within the last seen 2020-06-01 modified 2020-06-02 plugin id 102855 published 2017-08-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102855 title SUSE SLED12 Security Update : libraw (SUSE-SU-2017:2300-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3492-1.NASL description It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, a remote attacker could cause applications linked against LibRaw to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104785 published 2017-11-27 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104785 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : libraw vulnerabilities (USN-3492-1)
References
- http://packetstormsecurity.com/files/134573/LibRaw-0.17-Overflow.html
- http://packetstormsecurity.com/files/134573/LibRaw-0.17-Overflow.html
- http://seclists.org/fulldisclosure/2015/Nov/108
- http://seclists.org/fulldisclosure/2015/Nov/108
- http://www.libraw.org/news/libraw-0-17-1
- http://www.libraw.org/news/libraw-0-17-1