CVE-2013-1438
Published: 30 August 2013
Unspecified vulnerability in dcraw 0.8.x through 0.8.9, as used in libraw, ufraw, shotwell, and other products, allows context-dependent attackers to cause a denial of service via a crafted photo file that triggers a (1) divide-by-zero, (2) infinite loop, or (3) NULL pointer dereference.
Notes
Author | Note |
---|---|
jdstrand |
upstream says to use 0.14-stable branch from github repo |
sbeattie |
darktable as of 2.0.0 does not have embedded LibRaw anymore |
Priority
Status
Package | Release | Status |
---|---|---|
darktable
Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(2.0.3-1)
|
bionic |
Not vulnerable
(2.0.3-1)
|
|
cosmic |
Not vulnerable
(2.0.3-1)
|
|
disco |
Not vulnerable
(2.0.3-1)
|
|
eoan |
Not vulnerable
(2.0.3-1)
|
|
focal |
Not vulnerable
(2.0.3-1)
|
|
groovy |
Not vulnerable
(2.0.3-1)
|
|
hirsute |
Not vulnerable
(2.0.3-1)
|
|
impish |
Not vulnerable
(2.0.3-1)
|
|
jammy |
Not vulnerable
(2.0.3-1)
|
|
kinetic |
Not vulnerable
(2.0.3-1)
|
|
lucid |
Does not exist
|
|
lunar |
Not vulnerable
(2.0.3-1)
|
|
mantic |
Not vulnerable
(2.0.3-1)
|
|
noble |
Not vulnerable
(2.0.3-1)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needs triage
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Not vulnerable
(2.0.3-1)
|
|
yakkety |
Not vulnerable
(2.0.3-1)
|
|
zesty |
Not vulnerable
(2.0.3-1)
|
|
dcraw
Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Needed
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Not vulnerable
(9.28-2)
|
|
eoan |
Not vulnerable
(9.28-2)
|
|
focal |
Not vulnerable
(9.28-2)
|
|
groovy |
Not vulnerable
(9.28-2)
|
|
hirsute |
Not vulnerable
(9.28-2)
|
|
impish |
Not vulnerable
(9.28-2)
|
|
jammy |
Not vulnerable
(9.28-2)
|
|
kinetic |
Not vulnerable
(9.28-2)
|
|
lucid |
Ignored
(end of life)
|
|
lunar |
Not vulnerable
(9.28-2)
|
|
mantic |
Not vulnerable
(9.28-2)
|
|
noble |
Not vulnerable
(9.28-2)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needs triage
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Needed
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
exactimage
Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(0.8.9-3build1)
|
bionic |
Not vulnerable
(0.8.9-3build1)
|
|
cosmic |
Not vulnerable
(0.8.9-3build1)
|
|
disco |
Not vulnerable
(0.8.9-3build1)
|
|
eoan |
Not vulnerable
(0.8.9-3build1)
|
|
focal |
Not vulnerable
(0.8.9-3build1)
|
|
groovy |
Not vulnerable
(0.8.9-3build1)
|
|
hirsute |
Not vulnerable
(0.8.9-3build1)
|
|
impish |
Not vulnerable
(0.8.9-3build1)
|
|
jammy |
Not vulnerable
(0.8.9-3build1)
|
|
kinetic |
Not vulnerable
(0.8.9-3build1)
|
|
lucid |
Ignored
(end of life)
|
|
lunar |
Not vulnerable
(0.8.9-3build1)
|
|
mantic |
Not vulnerable
(0.8.9-3build1)
|
|
noble |
Not vulnerable
(0.8.9-3build1)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was not-affected [0.8.9-3build1])
|
|
upstream |
Released
(0.8.9-1)
|
|
utopic |
Not vulnerable
(0.8.9-3build1)
|
|
vivid |
Not vulnerable
(0.8.9-3build1)
|
|
wily |
Not vulnerable
(0.8.9-3build1)
|
|
xenial |
Not vulnerable
(0.8.9-3build1)
|
|
yakkety |
Not vulnerable
(0.8.9-3build1)
|
|
zesty |
Not vulnerable
(0.8.9-3build1)
|
|
libkdcraw
Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lucid |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
precise |
Released
(4:4.8.5-0ubuntu0.3)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was not-affected [4:4.11.1-0ubuntu2])
|
|
upstream |
Needs triage
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Not vulnerable
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Not vulnerable
|
|
libraw
Launchpad, Ubuntu, Debian |
artful |
Released
(0.15.3-1ubuntu1)
|
bionic |
Released
(0.15.3-1ubuntu1)
|
|
cosmic |
Released
(0.15.3-1ubuntu1)
|
|
disco |
Released
(0.15.3-1ubuntu1)
|
|
eoan |
Released
(0.15.3-1ubuntu1)
|
|
focal |
Released
(0.15.3-1ubuntu1)
|
|
groovy |
Released
(0.15.3-1ubuntu1)
|
|
hirsute |
Released
(0.15.3-1ubuntu1)
|
|
impish |
Released
(0.15.3-1ubuntu1)
|
|
jammy |
Released
(0.15.3-1ubuntu1)
|
|
kinetic |
Released
(0.15.3-1ubuntu1)
|
|
lucid |
Does not exist
|
|
lunar |
Released
(0.15.3-1ubuntu1)
|
|
mantic |
Released
(0.15.3-1ubuntu1)
|
|
noble |
Released
(0.15.3-1ubuntu1)
|
|
precise |
Released
(0.14.4-0ubuntu2.2)
|
|
quantal |
Released
(0.14.7-0ubuntu1.12.10.2)
|
|
raring |
Released
(0.14.7-0ubuntu1.13.04.2)
|
|
saucy |
Released
(0.15.3-1ubuntu1)
|
|
trusty |
Released
(0.15.3-1ubuntu1)
|
|
upstream |
Released
(0.15.4)
|
|
utopic |
Released
(0.15.3-1ubuntu1)
|
|
vivid |
Released
(0.15.3-1ubuntu1)
|
|
wily |
Released
(0.15.3-1ubuntu1)
|
|
xenial |
Released
(0.15.3-1ubuntu1)
|
|
yakkety |
Released
(0.15.3-1ubuntu1)
|
|
zesty |
Released
(0.15.3-1ubuntu1)
|
|
Patches:
upstream: https://github.com/LibRaw/LibRaw/commit/9ae25d8c3a6bfb40c582538193264f74c9b93bc0 upstream: https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad upstream: https://github.com/LibRaw/LibRaw/commit/c4e374ea6c979a7d1d968f5082b7d0ea8cd27202 |
||
rawstudio
Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lucid |
Ignored
(end of life)
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needs triage
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
rawtherapee
Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Needed
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needed
|
|
kinetic |
Ignored
(end of life, was needed)
|
|
lucid |
Does not exist
|
|
lunar |
Ignored
(end of life, was needed)
|
|
mantic |
Ignored
(end of life, was needed)
|
|
noble |
Needed
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needs triage
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Needed
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
ufraw
Launchpad, Ubuntu, Debian |
artful |
Released
(0.19.2-2ubuntu1)
|
bionic |
Released
(0.19.2-2ubuntu1)
|
|
cosmic |
Released
(0.19.2-2ubuntu1)
|
|
disco |
Released
(0.19.2-2ubuntu1)
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lucid |
Ignored
(end of life)
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Released
(0.19.2-2ubuntu1)
|
|
trusty |
Released
(0.19.2-2ubuntu1)
|
|
upstream |
Needs triage
|
|
utopic |
Released
(0.19.2-2ubuntu1)
|
|
vivid |
Released
(0.19.2-2ubuntu1)
|
|
wily |
Released
(0.19.2-2ubuntu1)
|
|
xenial |
Released
(0.19.2-2ubuntu1)
|
|
yakkety |
Released
(0.19.2-2ubuntu1)
|
|
zesty |
Released
(0.19.2-2ubuntu1)
|
|
xmbc
Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lucid |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
saucy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
References
- http://www.openwall.com/lists/oss-security/2013/08/29/3
- https://ubuntu.com/security/notices/USN-1964-1
- https://ubuntu.com/security/notices/USN-1978-1
- https://www.cve.org/CVERecord?id=CVE-2013-1438
- NVD
- Launchpad
- Debian
Bugs
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721235
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721239 (libkdcraw)
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721232
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721233
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721234
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721231 (libraw)
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721237
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721236
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721238