Detections
Analytics

NewStart CGSL MAIN 6.06 : LibRaw Multiple Vulnerabilities (NS-SA-2025-0242)

critical Nessus Plugin ID 305658

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.06, has LibRaw packages installed that are affected by multiple vulnerabilities:

 - The phase_one_correct function in Libraw before 0.17.1 allows attackers to cause memory errors and possibly execute arbitrary code, related to memory object initialization. (CVE-2015-8367)

 - The faster LJPEG decoder in libraw 0.13.x, 0.14.x, and 0.15.x before 0.15.4 allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via a crafted photo file.
 (CVE-2013-1439)

 - Multiple double free vulnerabilities in the LibRaw::unpack function in libraw_cxx.cpp in LibRaw before 0.15.2 allow context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a malformed full-color (1) Foveon or (2) sRAW image file. (CVE-2013-2126)

 - Array index error in smal_decode_segment function in LibRaw before 0.17.1 allows context-dependent attackers to cause memory errors and possibly execute arbitrary code via vectors related to indexes.
 (CVE-2015-8366)

 - There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack. (CVE-2017-13735)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL LibRaw packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/notice/NS-SA-2025-0242

https://security.gd-linux.com/info/CVE-2013-1439

https://security.gd-linux.com/info/CVE-2013-2126

https://security.gd-linux.com/info/CVE-2015-8366

https://security.gd-linux.com/info/CVE-2015-8367

https://security.gd-linux.com/info/CVE-2017-13735

https://security.gd-linux.com/info/CVE-2017-14348

https://security.gd-linux.com/info/CVE-2020-15503

https://security.gd-linux.com/info/CVE-2020-22628

https://security.gd-linux.com/info/CVE-2020-24870

Plugin Details

Severity: Critical

ID: 305658

File Name: newstart_cgsl_NS-SA-2025-0242_LibRaw.nasl

Version: 1.1

Type: Local

Published: 4/9/2026

Updated: 4/9/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2015-8367

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:zte:cgsl_main:6, p-cpe:/a:zte:cgsl_main:libraw

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/8/2026

Vulnerability Publication Date: 5/26/2013

Reference Information

CVE: CVE-2013-1439, CVE-2013-2126, CVE-2015-8366, CVE-2015-8367, CVE-2017-13735, CVE-2017-14348, CVE-2020-15503, CVE-2020-22628, CVE-2020-24870