oCERT-2015-006 dcraw input sanitization errors

Description:

The dcraw photo decoder is an open source project for raw image parsing.

The dcraw tool, as well as several other projects re-using its code, suffers from an integer overflow condition which lead to a buffer overflow. The vulnerability concerns the 'len' variable, parsed without validation from opened images, used in the ljpeg_start() function.

A maliciously crafted raw image file can be used to trigger the vulnerability, causing a Denial of Service condition.

Affected version:

dcraw >= 7.00

UFRaw >= 0.5

LibRaw <= 0.16.0, 0.17-Alpha2

RawTherapee >= 3.0

CxImage >= 6.00

Rawstudio >= 0.1

Kodi >= 10.0

ExactImage >= 0.1.0

Fixed version:

dcraw, N/A

UFRaw, N/A

LibRaw >= 0.16.1, 0.17-Alpha3

RawTherapee, N/A

CxImage, N/A

Rawstudio, N/A

Kodi, N/A

ExactImage, N/A

Credit: vulnerability report from Eduardo Castellanos <guayin [at] gmail [dot] com>.

CVE: CVE-2015-3885

Timeline:

2015-04-24: vulnerability report received
2015-04-27: contacted dcraw maintainer
2015-04-30: patch provided by maintainer
2015-05-04: reporter confirms patch
2015-05-11: contacted additional affected vendors
2015-05-11: advisory release
2015-05-12: assigned CVE

References:
https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e