Vulnerabilities > CVE-2015-8367 - Improper Initialization vulnerability in Libraw

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
libraw
CWE-665
critical
nessus
NVD
Published: 2020-01-14
Updated: 2020-01-24

Summary

The phase_one_correct function in Libraw before 0.17.1 allows attackers to cause memory errors and possibly execute arbitrary code, related to memory object initialization.

Vulnerable Configurations

Part Description Count
Application
Libraw
38

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-60.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-60 (LibRaw: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibRaw. Please review the CVE identifiers referenced below for details. Impact : An attacker could execute arbitrary code, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96746
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96746
    titleGLSA-201701-60 : LibRaw: Multiple vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201701-60.
#
# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(96746);
  script_version("3.3");
  script_cvs_date("Date: 2020/01/22");

  script_cve_id("CVE-2015-3885", "CVE-2015-8366", "CVE-2015-8367");
  script_xref(name:"GLSA", value:"201701-60");

  script_name(english:"GLSA-201701-60 : LibRaw: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201701-60
(LibRaw: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in LibRaw. Please review
      the CVE identifiers referenced below for details.
  
Impact :

    An attacker could execute arbitrary code, cause a Denial of Service
      condition, or have other unspecified impacts.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201701-60"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All LibRaw users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=media-libs/libraw-0.17.1'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:libraw");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/25");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"media-libs/libraw", unaffected:make_list("ge 0.17.1"), vulnerable:make_list("lt 0.17.1"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "LibRaw");
}
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1264.NASL
    descriptionThis update for libraw fixes the following issues : - CVE-2015-8367: Memory objects are not intialized properly (boo#957517).
    last seen2020-06-05
    modified2016-11-07
    plugin id94597
    published2016-11-07
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94597
    titleopenSUSE Security Update : libraw (openSUSE-2016-1264)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2016-1264.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(94597);
  script_version("2.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2015-8367");

  script_name(english:"openSUSE Security Update : libraw (openSUSE-2016-1264)");
  script_summary(english:"Check for the openSUSE-2016-1264 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for libraw fixes the following issues :

  - CVE-2015-8367: Memory objects are not intialized
    properly (boo#957517)."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=957517"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libraw packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw-devel-static");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw-tools-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libraw10-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/07");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.1", reference:"libraw-debugsource-0.16.2-4.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libraw-devel-0.16.2-4.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libraw-devel-static-0.16.2-4.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libraw-tools-0.16.2-4.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libraw-tools-debuginfo-0.16.2-4.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libraw10-0.16.2-4.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libraw10-debuginfo-0.16.2-4.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libraw-debugsource / libraw-devel / libraw-devel-static / etc");
}
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-D2FC332108.NASL
    descriptionPatch for CVE-2015-8366, CVE-2015-8367 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-03-04
    plugin id89421
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89421
    titleFedora 23 : LibRaw-0.16.2-3.fc23 (2015-d2fc332108)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-A288773B9A.NASL
    descriptionPatch for CVE-2015-8366, CVE-2015-8367 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-03-04
    plugin id89348
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89348
    titleFedora 22 : LibRaw-0.16.2-3.fc22 (2015-a288773b9a)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6BC6EED29CCA11E58C2BC335FA8985D7.NASL
    descriptionChenQin reports : The LibRaw raw image decoder has multiple vulnerabilities that can cause memory errors which may lead to code execution or other problems. In CVE-2015-8367, LibRaw
    last seen2020-06-01
    modified2020-06-02
    plugin id87225
    published2015-12-08
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87225
    titleFreeBSD : libraw -- memory objects not properly initialized (6bc6eed2-9cca-11e5-8c2b-c335fa8985d7)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-900.NASL
    descriptionThis update fixes the following security issue : - CVE-2015-8367 - It was found that phase_one_correct function does not handle memory object’s initialization correctly, which may have unspecified impact (bsc#957517).
    last seen2020-06-05
    modified2015-12-17
    plugin id87444
    published2015-12-17
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87444
    titleopenSUSE Security Update : libraw (openSUSE-2015-900)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2300-1.NASL
    descriptionThis update for libraw fixes the following issues : - CVE-2015-3885: A specially crafted raw image file could have caused a Denial of Service through an integer overflow. (bsc#930683) - CVE-2015-8367: The function phase_one_correct() did not handle memory object initialization correctly, which may have caused some other problems. (bsc#957517) - CVE-2017-6886: memory corruption in parse_tiff_ifd() func (internal/dcraw_common.cpp) could lead to Denial of service (bsc#1039380) - CVE-2017-6889: integer overflow error within the
    last seen2020-06-01
    modified2020-06-02
    plugin id102855
    published2017-08-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102855
    titleSUSE SLED12 Security Update : libraw (SUSE-SU-2017:2300-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3492-1.NASL
    descriptionIt was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, a remote attacker could cause applications linked against LibRaw to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104785
    published2017-11-27
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104785
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : libraw vulnerabilities (USN-3492-1)

References