CVE-2015-3885

Published: 19 May 2015

Integer overflow in the ljpeg_start function in dcraw 7.00 and earlier allows remote attackers to cause a denial of service (crash) via a crafted image, which triggers a buffer overflow, related to the len variable.

From the Ubuntu security team

It was discovered that FreeImage incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, a remote attacker could cause FreeImage to crash, resulting in a denial of service, or possibly execute arbitrary code.

Priority

Negligible

Status

Package Release Status
darktable
Launchpad, Ubuntu, Debian
Upstream
Released (1.4.2-1+deb8u1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1.6.8-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(1.6.8-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1.6.8-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.6.8-1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(1.6.8-1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist
(precise was needed)
dcraw
Launchpad, Ubuntu, Debian
Upstream
Released (9.27-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(9.27-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(9.27-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(9.27-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(9.27-1)
Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist
(precise was needed)
exactimage
Launchpad, Ubuntu, Debian
Upstream
Released (0.9.1-6)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(0.9.1-6)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(0.9.1-6)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(0.9.1-6)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(0.9.1-6)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(0.9.1-6)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist
(precise was needed)
freeimage
Launchpad, Ubuntu, Debian
Upstream
Released (3.15.4-6)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(3.15.4-6)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(3.15.4-6)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.15.4-6)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.15.4-6)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(3.15.4-6)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist
(precise was needed)
kodi
Launchpad, Ubuntu, Debian
Upstream
Released (16.0~rc3+dfsg2-1)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(16.0~rc3+dfsg2-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(16.0~rc3+dfsg2-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(16.0~rc3+dfsg2-1)
Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

libraw
Launchpad, Ubuntu, Debian
Upstream
Released (0.16.0-9+deb8u3)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(0.18.2-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(0.18.2-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(0.18.2-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(0.18.2-1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(0.17.1-1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [0.15.4-1ubuntu0.1])
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist
(precise was needed)
Patches:
Upstream: https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
This vulnerability is mitigated in part by the use of gcc's stack protector in Ubuntu.
rawstudio
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist
(precise was needed)
Patches:
Upstream: https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
rawtherapee
Launchpad, Ubuntu, Debian
Upstream
Released (4.2-2)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(4.2-4)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist
(precise was needed)
ufraw
Launchpad, Ubuntu, Debian
Upstream
Released (0.20-3)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(0.20-3)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(0.20-3)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist
(precise was needed)
xbmc
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist
(precise was needed)