Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Libraw 0.18.5 Denial Of Service Vulnerability

🗓️ 12 Dec 2017 00:00:00Reported by Laurent DelosieresType 
zdt
 zdt🔗 0day.today👁 62 Views

LibRaw 0.18.5 Denial Of Service Vulnerability - Heap-based buffer overflow and invalid read memory access via specially crafted TIFF image, fixed in version 0.18.6

Related
Code
ReporterTitlePublishedViews
Family
AlpineLinux		CVE-2017-16910
7 Dec 201822:00
alpinelinux
BDU FSTEC		The vulnerability of the internal/dcraw_common.cpp component in the LibRaw image processing library allows a hacker to trigger a service failure.
28 Sep 202200:00
bdu_fstec
BDU FSTEC		The vulnerability of the dcraw_common.cpp component in the LibRaw image processing library allows a perpetrator to gain access to confidential data, compromise its integrity, and cause service failures.
3 Oct 202200:00
bdu_fstec
FreeBSD		libraw -- multiple DoS vulnerabilities
4 Dec 201700:00
freebsd
CNVD		LibRaw 'LibRaw::panasonic_load_raw()' function heap buffer overflow vulnerability
11 Dec 201800:00
cnvd
CNVD		LibRaw 'LibRaw::xtrans_interpolate()' function denial of service vulnerability
11 Dec 201800:00
cnvd
CVE		CVE-2017-16909
7 Dec 201822:00
cve
CVE		CVE-2017-16910
7 Dec 201822:00
cve
Cvelist		CVE-2017-16909
7 Dec 201822:00
cvelist
Cvelist		CVE-2017-16910
7 Dec 201822:00
cvelist
Rows per page
======================================================================
                                            
         LibRaw Multiple Denial of Service Vulnerabilities

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerabilities.......................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Flexera Software...............................................8
Verification.........................................................9

======================================================================
1) Affected Software

* LibRaw versions prior to 0.18.6.

======================================================================
2) Severity

Rating: Moderately critical
Impact: Denial of Service
Where:  From remote

======================================================================
3) Description of Vulnerabilities

Secunia Research has discovered multiple vulnerabilities in LibRaw,
which can be exploited by malicious people to cause a DoS (Denial of
Service). 

1) An error related to the "LibRaw::panasonic_load_raw()" function
(dcraw_common.cpp) can be exploited to cause a heap-based buffer
overflow and subsequently cause a crash via a specially crafted TIFF
image.

2) An error within the "LibRaw::xtrans_interpolate()" function
(internal/dcraw_common.cpp) can be exploited to cause an invalid read
memory access.

The vulnerabilities are confirmed in version 0.18.5 and reported in
versions prior to 0.18.6.

======================================================================
4) Solution

Update to version 0.18.6.

======================================================================
5) Time Table

2017/12/04 - Maintainer contacted with the vulnerability details.
2017/12/04 - Maintainer confirmed the vulnerability.
2017/12/06 - Maintainer released a fix.
2017/12/07 - Release of Secunia Advisory SA76000.
2017/12/08 - Public disclosure of Secunia Research Advisory.

======================================================================
6) Credits

Laurent Delosieres, Secunia Research at Flexera Software.

======================================================================
7) References

The Flexera Software CNA has assigned the CVE-2017-16909 and
CVE-2017-16910 identifiers for the vulnerabilities through the Common
Vulnerabilities and Exposures (CVE) project.

======================================================================
8) About Flexera Software

Flexera  helps application  producers and enterprises  increase
application usage and the value they derive from their software.

http://www.flexerasoftware.com/enterprise/company/about/

Flexera delivers  market-leading  Software  Vulnerability Management
solutions  enabling  enterprises  to  proactively  identify  and
remediate software vulnerabilities, effectively reducing the risk of
costly security breaches.

http://www.flexerasoftware.com/enterprise/products/

Flexera  supports  and  contributes  to  the community in several
ways.  We  have  always  believed  that  reliable  vulnerability
intelligence and tools to aid identifying and fixing vulnerabilities
should be  freely available  for  consumers  to ensure that users,
who care about their online privacy and security, can stay secure.
Only a few vendors address vulnerabilities in a proper way and help
users get updated  and  stay secure.  End-users (whether private
individuals or businesses) are otherwise left largely alone,  and
that is why back in 2002, Secunia Research started investigating,
coordinating  disclosure  and  verifying software vulnerabilities.
In  2016,  Secunia Research  became  a  part  of  Flexera and today
our in-house software vulnerability research remains the core  of
the  Software  Vulnerability  Management  products  at Flexera.

https://secuniaresearch.flexerasoftware.com/community/research/

The  public Secunia Advisory database  contains  information  for
researchers, security enthusiasts, and consumers to lookup individual
products and vulnerabilities and assess, whether they need to take
any actions to secure their systems or whether a given vulnerability
has already been discovered

https://secuniaresearch.flexerasoftware.com/community/advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the website:
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19

======================================================================

#  0day.today [2018-01-06]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Dec 2017 00:00Current
7.5High risk
Vulners AI Score7.5
EPSS0.01993
librawdenial of servicevulnerabilityheap-based buffer overflowinvalid read memory accesstiff imageversion 0.18.6secunia researchflexera softwarecve-2017-16909cve-2017-16910vulnerability management.
62