This advisory was just released concerning dcraw:
http://www.ocert.org/advisories/ocert-2015-006.html
When PL 19 is released, it should use the appropriate version of dcraw (or its patch) to ensure the vulnerability is addressed.
Alert for security vulnerability in dcraw
-
- Mitglied
- Beiträge: 2162
- Registriert: Sa 28 Sep 2013 01:25
Alert for security vulnerability in dcraw
Ken
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.
-
- Betatester
- Beiträge: 3674
- Registriert: Do 26 Nov 2009 22:59
Re: Alert for security vulnerability in dcraw
Just a "Denial-of-Service" problem, according to your source, meaning that PL may freeze when you try to open a bad raw file. Therefore, I don't see a reason to delay the release of PL (or worry about the current PL), even though there is no patched dcraw yet.
Besides, the dcraw version in PL is updated regularly anyway, because that's what you have to do to ad raw support for the latest cameras.
Cheers
Burkhard.
Besides, the dcraw version in PL is updated regularly anyway, because that's what you have to do to ad raw support for the latest cameras.
Cheers
Burkhard.
-
- Mitglied
- Beiträge: 2162
- Registriert: Sa 28 Sep 2013 01:25
Re: Alert for security vulnerability in dcraw
From my reading of the advisory, it seems that the author of dcraw has already issued a patch for this, and one can assume that newer versions of dcraw will incorporate the fix. There's no telling what the consequences of a DoS attack could be. As long as a security vulnerability has been identified and addressed, it makes sense to accommodate the fix in the upcoming PL.
Ken
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.
-
- Betatester
- Beiträge: 3674
- Registriert: Do 26 Nov 2009 22:59
Re: Alert for security vulnerability in dcraw
Point is, there is no fixed version of dcraw (yet) – the most recent version is 2015-04-11, and the security flaw is still there. Of course, PL should update to the patched version asap (or just patch the bug manually, aborting if len <= 2 in ljpeg_start).photoken hat geschrieben:From my reading of the advisory, it seems that the author of dcraw has already issued a patch for this, and one can assume that newer versions of dcraw will incorporate the fix.
Cheers
Burkhard.
-
- Mitglied
- Beiträge: 2162
- Registriert: Sa 28 Sep 2013 01:25
Re: Alert for security vulnerability in dcraw
Or, if a fully patched version of dcraw does not appear in time to be incorporated in the release version of PL 19, do as the developers of RawTherapee are doing and manually incorporate the patch that has been released by the author of dcraw.bkh hat geschrieben:Of course, PL should update to the patched version asap (or just patch the bug manually, aborting if len <= 2 in ljpeg_start).
Ken
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.
-
- Betatester
- Beiträge: 3674
- Registriert: Do 26 Nov 2009 22:59
Re: Alert for security vulnerability in dcraw
Any idea where to get the "official" patch? Neither the security page nor the dcraw page seem to have a reference.photoken hat geschrieben: Or, if a fully patched version of dcraw does not appear in time to be incorporated in the release version of PL 19, do as the developers of RawTherapee are doing and manually incorporate the patch that has been released by the author of dcraw.
Cheers
Burkhard.
-
- Mitglied
- Beiträge: 140
- Registriert: Mi 04 Dez 2013 05:48
Re: Alert for security vulnerability in dcraw
It's for raw images, not related to a format shared over internet (jpg, png, svg, gif etc. etc.)
This vulnerability maybe will complete it's lifecycle without a hit, no worries unless;
You're downloading raw images on internet to process.
Even if you find one infected, just CTRL+ALT+DEL terminate the task and keep going. No worries unless.
You're processing raw images on a server (web, file, service etc) which shouldn't even freeze.
Be comfortable guys, I'm in security stuff since several years. Those are simple stuffs. If you'll know the un-patched vulnerabilites of your core Win. or web apps and servers (which can effect you) you'll get shocked.
This vulnerability maybe will complete it's lifecycle without a hit, no worries unless;
You're downloading raw images on internet to process.
Even if you find one infected, just CTRL+ALT+DEL terminate the task and keep going. No worries unless.
You're processing raw images on a server (web, file, service etc) which shouldn't even freeze.
Be comfortable guys, I'm in security stuff since several years. Those are simple stuffs. If you'll know the un-patched vulnerabilites of your core Win. or web apps and servers (which can effect you) you'll get shocked.
-
- Mitglied
- Beiträge: 2162
- Registriert: Sa 28 Sep 2013 01:25
Re: Alert for security vulnerability in dcraw
No idea. I'm just repeating the timeline info on that advisory page and the discussion about it on the RawTherapee forum.bkh hat geschrieben: Any idea where to get the "official" patch? Neither the security page nor the dcraw page seem to have a reference.
Ken
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.
Yes, I think it can be eeeeeasily done....
Just take everything out on Highway 61.