FreeBSD : dcraw -- integer overflow condition (57325ecf-facc-11e4-968f-b888e347c638)

medium Nessus Plugin ID 83512

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

ocert reports :

The dcraw tool, as well as several other projects re-using its code, suffers from an integer overflow condition which lead to a buffer overflow.

The vulnerability concerns the 'len' variable, parsed without validation from opened images, used in the ljpeg_start() function.

A maliciously crafted raw image file can be used to trigger the vulnerability, causing a Denial of Service condition.

Solution

Update the affected packages.

See Also

http://ocert.org/advisories/ocert-2015-006.html

http://www.nessus.org/u?7eab75a2

http://www.nessus.org/u?e71e136a

https://sourceforge.net/p/netpbm/code/2512/

http://www.nessus.org/u?ccb64ca5

Plugin Details

Severity: Medium

ID: 83512

File Name: freebsd_pkg_57325ecffacc11e4968fb888e347c638.nasl

Version: 2.14

Type: local

Published: 5/18/2015

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:cinepaint, p-cpe:/a:freebsd:freebsd:darktable, p-cpe:/a:freebsd:freebsd:dcraw, p-cpe:/a:freebsd:freebsd:dcraw-m, p-cpe:/a:freebsd:freebsd:exact-image, p-cpe:/a:freebsd:freebsd:flphoto, p-cpe:/a:freebsd:freebsd:freeimage, p-cpe:/a:freebsd:freebsd:kodi, p-cpe:/a:freebsd:freebsd:libraw, p-cpe:/a:freebsd:freebsd:lightzone, p-cpe:/a:freebsd:freebsd:netpbm, p-cpe:/a:freebsd:freebsd:opengtl, p-cpe:/a:freebsd:freebsd:rawstudio, p-cpe:/a:freebsd:freebsd:ufraw, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 5/15/2015

Vulnerability Publication Date: 4/24/2015

Reference Information

CVE: CVE-2015-3885