Vulnerabilities > CVE-2018-5800 - Off-by-one Error vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
libraw
redhat
canonical
debian
CWE-193
nessus

Summary

An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.7 can be exploited to cause a heap-based buffer overflow and subsequently cause a crash.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-3065.NASL
    descriptionAn update for libkdcraw is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Libkdcraw is a C++ interface around the LibRaw library used to decode the RAW picture files. Security Fix(es) : * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/ libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/ dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118987
    published2018-11-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118987
    titleCentOS 7 : libkdcraw (CESA-2018:3065)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:3065 and 
    # CentOS Errata and Security Advisory 2018:3065 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118987);
      script_version("1.4");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2018-5800", "CVE-2018-5801", "CVE-2018-5802", "CVE-2018-5805", "CVE-2018-5806");
      script_xref(name:"RHSA", value:"2018:3065");
    
      script_name(english:"CentOS 7 : libkdcraw (CESA-2018:3065)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for libkdcraw is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Libkdcraw is a C++ interface around the LibRaw library used to decode
    the RAW picture files.
    
    Security Fix(es) :
    
    * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw()
    function in internal/dcraw_common.cpp (CVE-2018-5805)
    
    * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw
    function in internal/dcraw_common.cpp (CVE-2018-5800)
    
    * LibRaw: NULL pointer dereference in LibRaw::unpack function src/
    libraw_cxx.cpp (CVE-2018-5801)
    
    * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/
    dcraw_common.cpp (CVE-2018-5802)
    
    * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in
    internal/dcraw_common.cpp (CVE-2018-5806)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.6 Release Notes linked from the References section."
      );
      # https://lists.centos.org/pipermail/centos-cr-announce/2018-November/005516.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4b524dba"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libkdcraw packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5802");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libkdcraw");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libkdcraw-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libkdcraw-4.10.5-5.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libkdcraw-devel-4.10.5-5.el7")) flag++;
    
    
    if (flag)
    {
      cr_plugin_caveat = '\n' +
        'NOTE: The security advisory associated with this vulnerability has a\n' +
        'fixed package version that may only be available in the continuous\n' +
        'release (CR) repository for CentOS, until it is present in the next\n' +
        'point release of CentOS.\n\n' +
    
        'If an equal or higher package level does not exist in the baseline\n' +
        'repository for your major version of CentOS, then updates from the CR\n' +
        'repository will need to be applied in order to address the\n' +
        'vulnerability.\n';
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get() + cr_plugin_caveat
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libkdcraw / libkdcraw-devel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-3065.NASL
    descriptionFrom Red Hat Security Advisory 2018:3065 : An update for libkdcraw is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Libkdcraw is a C++ interface around the LibRaw library used to decode the RAW picture files. Security Fix(es) : * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/ libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/ dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118767
    published2018-11-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118767
    titleOracle Linux 7 : libkdcraw (ELSA-2018-3065)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1734.NASL
    descriptionSecunia Research has discovered multiple vulnerabilities in libraw, a raw image decoder library, which can be exploited to cause a Denial of Service. The issues contain divisions by zero, out-of-bounds read memory access, heap-based buffer overflows and NULL pointer dereferences. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id123471
    published2019-03-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123471
    titleDebian DLA-1734-1 : libraw security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20181030_LIBKDCRAW_ON_SL7_X.NASL
    description* LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806)
    last seen2020-03-18
    modified2018-11-27
    plugin id119190
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119190
    titleScientific Linux Security Update : libkdcraw on SL7.x x86_64 (20181030)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3343-1.NASL
    descriptionThis update for libraw fixes the following issues : Security issues fixed : CVE-2018-5800: Fixed heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function (bsc#1084691). CVE-2018-5801: Fixed NULL pointer dereference in LibRaw::unpack function (bsc#1084690). CVE-2018-5802: Fixed out-of-bounds read in kodak_radc_load_raw function (bsc#1084688). CVE-2018-5813: Fixed infinite loop in the parse_minolta function (bsc#1103200) CVE-2018-5810: Fixed a heap-based buffer overflow in rollei_load_raw (bsc#1103353) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118353
    published2018-10-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118353
    titleSUSE SLED12 Security Update : libraw (SUSE-SU-2018:3343-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-281.NASL
    descriptionThis update for libraw fixes the following issues : - CVE-2018-5800: Specially crafted RAW files may have caused an application crash via a heap-based buffer overflow (boo#1084690) - CVE-2018-5801: Specially crafted RAW files may have been used to trigger a NULL pointer de-reference (boo#1084691) - CVE-2018-5802: Specially crafted RAW files may have caused an application crash via a heap-based buffer overflow (boo#1084688)
    last seen2020-06-05
    modified2018-03-19
    plugin id108445
    published2018-03-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108445
    titleopenSUSE Security Update : libraw (openSUSE-2018-281)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0068_LIBKDCRAW.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libkdcraw packages installed that are affected by multiple vulnerabilities: - LibRaw is vulnerable to stack-based buffer overflow in internal/dcraw_common.cpp:quicktake_100_load_raw() function when processing specially-crafted RAW data. An attacker could potentially use this flaw to cause an arbitrary code execution or denial of service. (CVE-2018-5805) - A NULL pointer dereference flaw was found in the way LibRaw processed images. An attacker could potentially use this flaw to crash applications using LibRaw by tricking them into processing crafted images. (CVE-2018-5801) - An out-of-bounds read flaw was found in the way LibRaw processed images. An attacker could potentially use this flaw to crash applications using LibRaw by tricking them into processing crafted images. (CVE-2018-5802) - A NULL pointer dereference vulnerability in internal/dcraw_common.cpp:leaf_hdr_load_raw() function was found in LibRaw. A user can cause a denial of service when processing specially-crafted RAW data. (CVE-2018-5806) - A heap-based out-of-bounds access flaw was found in the way LibRaw processed images. An attacker could potentially use this flaw to crash applications using LibRaw by tricking them into processing crafted images. (CVE-2018-5800) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127269
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127269
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : libkdcraw Multiple Vulnerabilities (NS-SA-2019-0068)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3615-1.NASL
    descriptionIt was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, a remote attacker could cause applications linked against LibRaw to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id108832
    published2018-04-04
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108832
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 : libraw vulnerabilities (USN-3615-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3065.NASL
    descriptionAn update for libkdcraw is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Libkdcraw is a C++ interface around the LibRaw library used to decode the RAW picture files. Security Fix(es) : * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/ libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/ dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118522
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118522
    titleRHEL 7 : libkdcraw (RHSA-2018:3065)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6F0B0CBF127411E88B5B4CCC6ADDA413.NASL
    descriptionSecunia Research reports : CVE-2018-5800: An off-by-one error within the
    last seen2020-06-01
    modified2020-06-02
    plugin id106855
    published2018-02-16
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106855
    titleFreeBSD : libraw -- multiple DoS vulnerabilities (6f0b0cbf-1274-11e8-8b5b-4ccc6adda413)

Redhat

advisories
rhsa
idRHSA-2018:3065
rpms
  • libkdcraw-0:4.10.5-5.el7
  • libkdcraw-debuginfo-0:4.10.5-5.el7
  • libkdcraw-devel-0:4.10.5-5.el7