Vulnerabilities > CVE-2018-5805 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
libraw
redhat
CWE-787
nessus

Summary

A boundary error within the "quicktake_100_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to cause a stack-based buffer overflow and subsequently cause a crash.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-3065.NASL
    descriptionAn update for libkdcraw is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Libkdcraw is a C++ interface around the LibRaw library used to decode the RAW picture files. Security Fix(es) : * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/ libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/ dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118987
    published2018-11-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118987
    titleCentOS 7 : libkdcraw (CESA-2018:3065)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:3065 and 
    # CentOS Errata and Security Advisory 2018:3065 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118987);
      script_version("1.4");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2018-5800", "CVE-2018-5801", "CVE-2018-5802", "CVE-2018-5805", "CVE-2018-5806");
      script_xref(name:"RHSA", value:"2018:3065");
    
      script_name(english:"CentOS 7 : libkdcraw (CESA-2018:3065)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for libkdcraw is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Libkdcraw is a C++ interface around the LibRaw library used to decode
    the RAW picture files.
    
    Security Fix(es) :
    
    * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw()
    function in internal/dcraw_common.cpp (CVE-2018-5805)
    
    * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw
    function in internal/dcraw_common.cpp (CVE-2018-5800)
    
    * LibRaw: NULL pointer dereference in LibRaw::unpack function src/
    libraw_cxx.cpp (CVE-2018-5801)
    
    * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/
    dcraw_common.cpp (CVE-2018-5802)
    
    * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in
    internal/dcraw_common.cpp (CVE-2018-5806)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.6 Release Notes linked from the References section."
      );
      # https://lists.centos.org/pipermail/centos-cr-announce/2018-November/005516.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4b524dba"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libkdcraw packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5802");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libkdcraw");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libkdcraw-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libkdcraw-4.10.5-5.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libkdcraw-devel-4.10.5-5.el7")) flag++;
    
    
    if (flag)
    {
      cr_plugin_caveat = '\n' +
        'NOTE: The security advisory associated with this vulnerability has a\n' +
        'fixed package version that may only be available in the continuous\n' +
        'release (CR) repository for CentOS, until it is present in the next\n' +
        'point release of CentOS.\n\n' +
    
        'If an equal or higher package level does not exist in the baseline\n' +
        'repository for your major version of CentOS, then updates from the CR\n' +
        'repository will need to be applied in order to address the\n' +
        'vulnerability.\n';
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get() + cr_plugin_caveat
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libkdcraw / libkdcraw-devel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-3065.NASL
    descriptionFrom Red Hat Security Advisory 2018:3065 : An update for libkdcraw is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Libkdcraw is a C++ interface around the LibRaw library used to decode the RAW picture files. Security Fix(es) : * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/ libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/ dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118767
    published2018-11-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118767
    titleOracle Linux 7 : libkdcraw (ELSA-2018-3065)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20181030_LIBKDCRAW_ON_SL7_X.NASL
    description* LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806)
    last seen2020-03-18
    modified2018-11-27
    plugin id119190
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119190
    titleScientific Linux Security Update : libkdcraw on SL7.x x86_64 (20181030)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0068_LIBKDCRAW.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libkdcraw packages installed that are affected by multiple vulnerabilities: - LibRaw is vulnerable to stack-based buffer overflow in internal/dcraw_common.cpp:quicktake_100_load_raw() function when processing specially-crafted RAW data. An attacker could potentially use this flaw to cause an arbitrary code execution or denial of service. (CVE-2018-5805) - A NULL pointer dereference flaw was found in the way LibRaw processed images. An attacker could potentially use this flaw to crash applications using LibRaw by tricking them into processing crafted images. (CVE-2018-5801) - An out-of-bounds read flaw was found in the way LibRaw processed images. An attacker could potentially use this flaw to crash applications using LibRaw by tricking them into processing crafted images. (CVE-2018-5802) - A NULL pointer dereference vulnerability in internal/dcraw_common.cpp:leaf_hdr_load_raw() function was found in LibRaw. A user can cause a denial of service when processing specially-crafted RAW data. (CVE-2018-5806) - A heap-based out-of-bounds access flaw was found in the way LibRaw processed images. An attacker could potentially use this flaw to crash applications using LibRaw by tricking them into processing crafted images. (CVE-2018-5800) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127269
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127269
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : libkdcraw Multiple Vulnerabilities (NS-SA-2019-0068)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0002-1.NASL
    descriptionThis update for libraw fixes the following issues : Security issues fixed : CVE-2018-5808: Fixed a stack-based buffer overflow and code execution vulnerability in find_green() function internal/dcraw_common.cpp (bsc#1118894). CVE-2018-5805: Fixed a boundary error within the quicktake_100_load_raw function (bsc#1097973) CVE-2018-5806: Fixed a a NULL pointer dereference in the leaf_hdr_load_raw function (bsc#1097974) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-07
    plugin id120982
    published2019-01-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120982
    titleSUSE SLED12 Security Update : libraw (SUSE-SU-2019:0002-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3065.NASL
    descriptionAn update for libkdcraw is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Libkdcraw is a C++ interface around the LibRaw library used to decode the RAW picture files. Security Fix(es) : * LibRaw: Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5805) * LibRaw: Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp (CVE-2018-5800) * LibRaw: NULL pointer dereference in LibRaw::unpack function src/ libraw_cxx.cpp (CVE-2018-5801) * LibRaw: Out-of-bounds read in kodak_radc_load_raw function internal/ dcraw_common.cpp (CVE-2018-5802) * LibRaw: NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp (CVE-2018-5806) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118522
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118522
    titleRHEL 7 : libkdcraw (RHSA-2018:3065)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1619.NASL
    descriptionThis update for libraw fixes the following issues : The following security vulnerabilities were addressed : - CVE-2018-5804: Fixed a type confusion error within the identify function that could trigger a division by zero, leading to a denial of service (Dos). (boo#1097975) - CVE-2018-5805: Fixed a boundary error within the quicktake_100_load_raw function that could cause a stack-based buffer overflow and subsequently trigger a crash. (boo#1097973) - CVE-2018-5806: Fixed an error within the leaf_hdr_load_raw function that could trigger a NULL pointer deference, leading to a denial of service (DoS). (boo#1097974) - CVE-2018-5808: Fixed an error within the find_green function that could cause a stack-based buffer overflow and subsequently execute arbitrary code. (boo#1118894) - CVE-2018-5816: Fixed a type confusion error within the identify function that could trigger a division by zero, leading to a denial of service (DoS). (boo#1097975)
    last seen2020-06-05
    modified2018-12-31
    plugin id119949
    published2018-12-31
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119949
    titleopenSUSE Security Update : libraw (openSUSE-2018-1619)

Redhat

advisories
rhsa
idRHSA-2018:3065
rpms
  • libkdcraw-0:4.10.5-5.el7
  • libkdcraw-debuginfo-0:4.10.5-5.el7
  • libkdcraw-devel-0:4.10.5-5.el7