Vulnerabilities > CVE-2018-5800 - Off-by-one Error vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.7 can be exploited to cause a heap-based buffer overflow and subsequently cause a crash.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-3065.NASL description An update for libkdcraw is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Libkdcraw is a C++ interface around the LibRaw library used to decode the RAW picture files. Security Fix(es) : * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/ libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/ dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 118987 published 2018-11-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118987 title CentOS 7 : libkdcraw (CESA-2018:3065) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:3065 and # CentOS Errata and Security Advisory 2018:3065 respectively. # include("compat.inc"); if (description) { script_id(118987); script_version("1.4"); script_cvs_date("Date: 2019/12/31"); script_cve_id("CVE-2018-5800", "CVE-2018-5801", "CVE-2018-5802", "CVE-2018-5805", "CVE-2018-5806"); script_xref(name:"RHSA", value:"2018:3065"); script_name(english:"CentOS 7 : libkdcraw (CESA-2018:3065)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for libkdcraw is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Libkdcraw is a C++ interface around the LibRaw library used to decode the RAW picture files. Security Fix(es) : * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/ libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/ dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section." ); # https://lists.centos.org/pipermail/centos-cr-announce/2018-November/005516.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4b524dba" ); script_set_attribute( attribute:"solution", value:"Update the affected libkdcraw packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5802"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libkdcraw"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libkdcraw-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/07"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libkdcraw-4.10.5-5.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libkdcraw-devel-4.10.5-5.el7")) flag++; if (flag) { cr_plugin_caveat = '\n' + 'NOTE: The security advisory associated with this vulnerability has a\n' + 'fixed package version that may only be available in the continuous\n' + 'release (CR) repository for CentOS, until it is present in the next\n' + 'point release of CentOS.\n\n' + 'If an equal or higher package level does not exist in the baseline\n' + 'repository for your major version of CentOS, then updates from the CR\n' + 'repository will need to be applied in order to address the\n' + 'vulnerability.\n'; security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + cr_plugin_caveat ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libkdcraw / libkdcraw-devel"); }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-3065.NASL description From Red Hat Security Advisory 2018:3065 : An update for libkdcraw is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Libkdcraw is a C++ interface around the LibRaw library used to decode the RAW picture files. Security Fix(es) : * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/ libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/ dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 118767 published 2018-11-07 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118767 title Oracle Linux 7 : libkdcraw (ELSA-2018-3065) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1734.NASL description Secunia Research has discovered multiple vulnerabilities in libraw, a raw image decoder library, which can be exploited to cause a Denial of Service. The issues contain divisions by zero, out-of-bounds read memory access, heap-based buffer overflows and NULL pointer dereferences. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 123471 published 2019-03-29 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123471 title Debian DLA-1734-1 : libraw security update NASL family Scientific Linux Local Security Checks NASL id SL_20181030_LIBKDCRAW_ON_SL7_X.NASL description * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806) last seen 2020-03-18 modified 2018-11-27 plugin id 119190 published 2018-11-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119190 title Scientific Linux Security Update : libkdcraw on SL7.x x86_64 (20181030) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-3343-1.NASL description This update for libraw fixes the following issues : Security issues fixed : CVE-2018-5800: Fixed heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function (bsc#1084691). CVE-2018-5801: Fixed NULL pointer dereference in LibRaw::unpack function (bsc#1084690). CVE-2018-5802: Fixed out-of-bounds read in kodak_radc_load_raw function (bsc#1084688). CVE-2018-5813: Fixed infinite loop in the parse_minolta function (bsc#1103200) CVE-2018-5810: Fixed a heap-based buffer overflow in rollei_load_raw (bsc#1103353) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 118353 published 2018-10-24 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118353 title SUSE SLED12 Security Update : libraw (SUSE-SU-2018:3343-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-281.NASL description This update for libraw fixes the following issues : - CVE-2018-5800: Specially crafted RAW files may have caused an application crash via a heap-based buffer overflow (boo#1084690) - CVE-2018-5801: Specially crafted RAW files may have been used to trigger a NULL pointer de-reference (boo#1084691) - CVE-2018-5802: Specially crafted RAW files may have caused an application crash via a heap-based buffer overflow (boo#1084688) last seen 2020-06-05 modified 2018-03-19 plugin id 108445 published 2018-03-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108445 title openSUSE Security Update : libraw (openSUSE-2018-281) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0068_LIBKDCRAW.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libkdcraw packages installed that are affected by multiple vulnerabilities: - LibRaw is vulnerable to stack-based buffer overflow in internal/dcraw_common.cpp:quicktake_100_load_raw() function when processing specially-crafted RAW data. An attacker could potentially use this flaw to cause an arbitrary code execution or denial of service. (CVE-2018-5805) - A NULL pointer dereference flaw was found in the way LibRaw processed images. An attacker could potentially use this flaw to crash applications using LibRaw by tricking them into processing crafted images. (CVE-2018-5801) - An out-of-bounds read flaw was found in the way LibRaw processed images. An attacker could potentially use this flaw to crash applications using LibRaw by tricking them into processing crafted images. (CVE-2018-5802) - A NULL pointer dereference vulnerability in internal/dcraw_common.cpp:leaf_hdr_load_raw() function was found in LibRaw. A user can cause a denial of service when processing specially-crafted RAW data. (CVE-2018-5806) - A heap-based out-of-bounds access flaw was found in the way LibRaw processed images. An attacker could potentially use this flaw to crash applications using LibRaw by tricking them into processing crafted images. (CVE-2018-5800) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127269 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127269 title NewStart CGSL CORE 5.04 / MAIN 5.04 : libkdcraw Multiple Vulnerabilities (NS-SA-2019-0068) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3615-1.NASL description It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, a remote attacker could cause applications linked against LibRaw to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 108832 published 2018-04-04 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108832 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : libraw vulnerabilities (USN-3615-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-3065.NASL description An update for libkdcraw is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Libkdcraw is a C++ interface around the LibRaw library used to decode the RAW picture files. Security Fix(es) : * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/ libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/ dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 118522 published 2018-10-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118522 title RHEL 7 : libkdcraw (RHSA-2018:3065) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6F0B0CBF127411E88B5B4CCC6ADDA413.NASL description Secunia Research reports : CVE-2018-5800: An off-by-one error within the last seen 2020-06-01 modified 2020-06-02 plugin id 106855 published 2018-02-16 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106855 title FreeBSD : libraw -- multiple DoS vulnerabilities (6f0b0cbf-1274-11e8-8b5b-4ccc6adda413)
Redhat
advisories |
| ||||
rpms |
|
References
- https://secuniaresearch.flexerasoftware.com/secunia_research/2018-1/
- https://secuniaresearch.flexerasoftware.com/advisories/79000/
- https://github.com/LibRaw/LibRaw/blob/master/Changelog.txt
- https://usn.ubuntu.com/3615-1/
- https://access.redhat.com/errata/RHSA-2018:3065
- http://www.securityfocus.com/bid/104663
- https://lists.debian.org/debian-lts-announce/2019/03/msg00036.html
- https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4