CVE-2020-24889
Published: 16 September 2020
A buffer overflow vulnerability in LibRaw version < 20.0 LibRaw::GetNormalizedModel in src/metadata/normalize_model.cpp may lead to context-dependent arbitrary code execution.
Notes
Author | Note |
---|---|
mdeslaur |
affected code was introduced in 20.0, and is not present in versions earlier than that, contrary to the CVE description See "Hasselblad L1D-20c, X1D II 50C" in https://www.libraw.org/news/libraw-0-20-Release |
Priority
Status
Package | Release | Status |
---|---|---|
darktable
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
focal |
Not vulnerable
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|
|
dcraw
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
focal |
Not vulnerable
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|
|
exactimage
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
focal |
Not vulnerable
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|
|
kodi
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
focal |
Not vulnerable
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|
|
libraw
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(0.18.8-1ubuntu0.3)
|
focal |
Not vulnerable
(0.19.5-1ubuntu1)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(0.17.1-1ubuntu0.5)
|
|
Patches:
upstream: https://github.com/LibRaw/LibRaw/commit/78d323ecbe6a9752aee6e97118a76d40704d73ee |
||
rawtherapee
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
focal |
Not vulnerable
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|
|
ufraw
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|
|
xbmc
Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |