5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
27.1%
Package : libraw
Version : 0.19.2-2+deb10u1
CVE ID : CVE-2020-35530 CVE-2020-35531 CVE-2020-35532 CVE-2020-35533
Multiple file parsing vulnerabilities have been fixed in libraw. They are
concerned with the dng and x3f formats.
CVE-2020-35530
There is an out-of-bounds write vulnerability within the "new_node()"
function (src/x3f/x3f_utils_patched.cpp) that can be triggered via a
crafted X3F file. Reported by github user 0xfoxone.
CVE-2020-35531
An out-of-bounds read vulnerability exists within the
get_huffman_diff() function (src/x3f/x3f_utils_patched.cpp) when
reading data from an image file. Reported by github user GirlElecta.
CVE-2020-35532
An out-of-bounds read vulnerability exists within the
"simple_decode_row()" function (src/x3f/x3f_utils_patched.cpp) which
can be triggered via an image with a large row_stride field.
Reported by github user GirlElecta.
CVE-2020-35533
An out-of-bounds read vulnerability exists within the
"LibRaw::adobe_copy_pixel()" function (src/decoders/dng.cpp) when
reading data from the image file. Reported by github user GirlElecta.
For Debian 10 buster, these problems have been fixed in version
0.19.2-2+deb10u1.
We recommend that you upgrade your libraw packages.
For the detailed security status of libraw please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libraw
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 10 | all | libraw-doc | < 0.19.2-2+deb10u1 | libraw-doc_0.19.2-2+deb10u1_all.deb |
Debian | 10 | all | libraw-bin | < 0.19.2-2+deb10u1 | libraw-bin_0.19.2-2+deb10u1_all.deb |
Debian | 10 | all | libraw | < 0.19.2-2+deb10u1 | libraw_0.19.2-2+deb10u1_all.deb |
Debian | 10 | all | libraw-dev | < 0.19.2-2+deb10u1 | libraw-dev_0.19.2-2+deb10u1_all.deb |
Debian | 10 | all | libraw19 | < 0.19.2-2+deb10u1 | libraw19_0.19.2-2+deb10u1_all.deb |
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
27.1%