{"id":"MGASA-2022-0160","summary":"Updated dcraw packages fix security vulnerability","details":"A buffer over-read in crop_masked_pixels in dcraw through 9.28 could be\nused by attackers able to supply malicious files to crash an application\nthat bundles the dcraw code or leak private information. (CVE-2018-19565)\n\nA heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could be\nused by attackers able to supply malicious files to crash an application\nthat bundles the dcraw code or leak private information. (CVE-2018-19566)\n\nA floating point exception in parse_tiff_ifd in dcraw through 9.28 could\nbe used by attackers able to supply malicious files to crash an application\nthat bundles the dcraw code. (CVE-2018-19567)\n\nA floating point exception in kodak_radc_load_raw in dcraw through 9.28\ncould be used by attackers able to supply malicious files to crash an\napplication that bundles the dcraw code. (CVE-2018-19568)\n\nA boundary error within the \"quicktake_100_load_raw()\" function\n(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be\nexploited to cause a stack-based buffer overflow and subsequently cause a\ncrash. (CVE-2018-5805)\n\nAn error within the \"leaf_hdr_load_raw()\" function\n(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be\nexploited to trigger a NULL pointer dereference. (CVE-2018-5806)\n\nThere is an integer overflow vulnerability in dcraw. When the victim runs\ndcraw with a maliciously crafted X3F input image, arbitrary code may be\nexecuted in the victim's system. (CVE-2021-3624)\n","modified":"2026-04-16T00:12:11.902490692Z","published":"2022-05-06T20:16:39Z","upstream":["CVE-2018-19565","CVE-2018-19566","CVE-2018-19567","CVE-2018-19568","CVE-2018-5805","CVE-2018-5806","CVE-2021-3624"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0160.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=24107"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2018/11/27/1"},{"type":"WEB","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YDVWQ5ZUMZUOMBBPVXPXX6XNCBNZ2BMJ/"}],"affected":[{"package":{"name":"dcraw","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/dcraw?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.28.0-6.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0160.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}