Alert for security vulnerability in dcraw

Hier diskutieren die Betatester von PhotoLine untereinander und mit den Entwicklern
User avatar
photoken
Mitglied
Posts: 2162
Joined: Sat 28 Sep 2013 01:25

Alert for security vulnerability in dcraw

Post by photoken »

This advisory was just released concerning dcraw:
http://www.ocert.org/advisories/ocert-2015-006.html
When PL 19 is released, it should use the appropriate version of dcraw (or its patch) to ensure the vulnerability is addressed.
Ken
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.
bkh
Betatester
Posts: 3661
Joined: Thu 26 Nov 2009 22:59

Re: Alert for security vulnerability in dcraw

Post by bkh »

Just a "Denial-of-Service" problem, according to your source, meaning that PL may freeze when you try to open a bad raw file. Therefore, I don't see a reason to delay the release of PL (or worry about the current PL), even though there is no patched dcraw yet.

Besides, the dcraw version in PL is updated regularly anyway, because that's what you have to do to ad raw support for the latest cameras.

Cheers

Burkhard.
User avatar
photoken
Mitglied
Posts: 2162
Joined: Sat 28 Sep 2013 01:25

Re: Alert for security vulnerability in dcraw

Post by photoken »

From my reading of the advisory, it seems that the author of dcraw has already issued a patch for this, and one can assume that newer versions of dcraw will incorporate the fix. There's no telling what the consequences of a DoS attack could be. As long as a security vulnerability has been identified and addressed, it makes sense to accommodate the fix in the upcoming PL.
Ken
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.
bkh
Betatester
Posts: 3661
Joined: Thu 26 Nov 2009 22:59

Re: Alert for security vulnerability in dcraw

Post by bkh »

photoken wrote:From my reading of the advisory, it seems that the author of dcraw has already issued a patch for this, and one can assume that newer versions of dcraw will incorporate the fix.
Point is, there is no fixed version of dcraw (yet) – the most recent version is 2015-04-11, and the security flaw is still there. Of course, PL should update to the patched version asap (or just patch the bug manually, aborting if len <= 2 in ljpeg_start).

Cheers

Burkhard.
User avatar
photoken
Mitglied
Posts: 2162
Joined: Sat 28 Sep 2013 01:25

Re: Alert for security vulnerability in dcraw

Post by photoken »

bkh wrote:Of course, PL should update to the patched version asap (or just patch the bug manually, aborting if len <= 2 in ljpeg_start).
Or, if a fully patched version of dcraw does not appear in time to be incorporated in the release version of PL 19, do as the developers of RawTherapee are doing and manually incorporate the patch that has been released by the author of dcraw.
Ken
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.
bkh
Betatester
Posts: 3661
Joined: Thu 26 Nov 2009 22:59

Re: Alert for security vulnerability in dcraw

Post by bkh »

photoken wrote: Or, if a fully patched version of dcraw does not appear in time to be incorporated in the release version of PL 19, do as the developers of RawTherapee are doing and manually incorporate the patch that has been released by the author of dcraw.
Any idea where to get the "official" patch? Neither the security page nor the dcraw page seem to have a reference.

Cheers

Burkhard.
evren
Mitglied
Posts: 140
Joined: Wed 04 Dec 2013 05:48

Re: Alert for security vulnerability in dcraw

Post by evren »

It's for raw images, not related to a format shared over internet (jpg, png, svg, gif etc. etc.)
This vulnerability maybe will complete it's lifecycle without a hit, no worries unless;
You're downloading raw images on internet to process.
Even if you find one infected, just CTRL+ALT+DEL terminate the task and keep going. No worries unless.
You're processing raw images on a server (web, file, service etc) which shouldn't even freeze.

Be comfortable guys, I'm in security stuff since several years. Those are simple stuffs. If you'll know the un-patched vulnerabilites of your core Win. or web apps and servers (which can effect you) you'll get shocked.
User avatar
photoken
Mitglied
Posts: 2162
Joined: Sat 28 Sep 2013 01:25

Re: Alert for security vulnerability in dcraw

Post by photoken »

bkh wrote: Any idea where to get the "official" patch? Neither the security page nor the dcraw page seem to have a reference.
No idea. I'm just repeating the timeline info on that advisory page and the discussion about it on the RawTherapee forum.
Ken
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.