Security update for dcraw

Announcement ID:	SUSE-SU-2022:1749-1
Rating:	moderate
References:	bsc#1056170 bsc#1063798 bsc#1084690 bsc#1097973 bsc#1097974 bsc#1117436 bsc#1117512 bsc#1117517 bsc#1117622 bsc#1117896 bsc#1189642
Cross-References:	CVE-2017-13735 CVE-2017-14608 CVE-2018-19565 CVE-2018-19566 CVE-2018-19567 CVE-2018-19568 CVE-2018-19655 CVE-2018-5801 CVE-2018-5805 CVE-2018-5806 CVE-2021-3624
CVSS scores:	CVE-2017-13735 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-13735 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-14608 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2017-14608 ( NVD ): 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-19565 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-19565 ( NVD ): 7.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2018-19566 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L CVE-2018-19566 ( NVD ): 7.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2018-19567 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-19567 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-19568 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-19568 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-19655 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-19655 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-5801 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-5801 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-5805 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-5805 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-5806 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-5806 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-3624 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2021-3624 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 SUSE Linux Enterprise Workstation Extension 12 12-SP5

An update that solves 11 vulnerabilities can now be installed.

Description:

This update for dcraw fixes the following issues:

• CVE-2017-13735: Fixed a denial of service issue due to a floating point exception (bsc#1056170).
• CVE-2017-14608: Fixed an invalid memory access that could lead to information disclosure or denial of service (bsc#1063798).
• CVE-2018-19655: Fixed a buffer overflow that could lead to an application crash (bsc#1117896).
• CVE-2018-5801: Fixed an invalid memory access that could lead to denial of service (bsc#1084690).
• CVE-2018-5805: Fixed a buffer overflow that could lead to an application crash (bsc#1097973).
• CVE-2018-5806: Fixed an invalid memory access that could lead to denial of service (bsc#1097974).
• CVE-2018-19565: Fixed an invalid memory access that could lead to information disclosure or denial of service (bsc#1117622).
• CVE-2018-19566: Fixed an invalid memory access that could lead to information disclosure or denial of service (bsc#1117517).
• CVE-2018-19567: Fixed a denial of service issue due to a floating point exception (bsc#1117512).
• CVE-2018-19568: Fixed a denial of service issue due to a floating point exception (bsc#1117436).
• CVE-2021-3624: Fixed a buffer overflow that could lead to code execution or denial of service (bsc#1189642).

Non-security fixes:

• Updated to version 9.28.0.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Software Development Kit 12 SP5
  zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-1749=1
• SUSE Linux Enterprise Workstation Extension 12 12-SP5
  zypper in -t patch SUSE-SLE-WE-12-SP5-2022-1749=1

Package List:

• SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
  • dcraw-debugsource-9.28.0-3.3.1
  • dcraw-9.28.0-3.3.1
  • dcraw-debuginfo-9.28.0-3.3.1
• SUSE Linux Enterprise Workstation Extension 12 12-SP5 (x86_64)
  • dcraw-debugsource-9.28.0-3.3.1
  • dcraw-9.28.0-3.3.1
  • dcraw-debuginfo-9.28.0-3.3.1
• SUSE Linux Enterprise Workstation Extension 12 12-SP5 (noarch)
  • dcraw-lang-9.28.0-3.3.1

References:

• https://www.suse.com/security/cve/CVE-2017-13735.html
• https://www.suse.com/security/cve/CVE-2017-14608.html
• https://www.suse.com/security/cve/CVE-2018-19565.html
• https://www.suse.com/security/cve/CVE-2018-19566.html
• https://www.suse.com/security/cve/CVE-2018-19567.html
• https://www.suse.com/security/cve/CVE-2018-19568.html
• https://www.suse.com/security/cve/CVE-2018-19655.html
• https://www.suse.com/security/cve/CVE-2018-5801.html
• https://www.suse.com/security/cve/CVE-2018-5805.html
• https://www.suse.com/security/cve/CVE-2018-5806.html
• https://www.suse.com/security/cve/CVE-2021-3624.html
• https://bugzilla.suse.com/show_bug.cgi?id=1056170
• https://bugzilla.suse.com/show_bug.cgi?id=1063798
• https://bugzilla.suse.com/show_bug.cgi?id=1084690
• https://bugzilla.suse.com/show_bug.cgi?id=1097973
• https://bugzilla.suse.com/show_bug.cgi?id=1097974
• https://bugzilla.suse.com/show_bug.cgi?id=1117436
• https://bugzilla.suse.com/show_bug.cgi?id=1117512
• https://bugzilla.suse.com/show_bug.cgi?id=1117517
• https://bugzilla.suse.com/show_bug.cgi?id=1117622
• https://bugzilla.suse.com/show_bug.cgi?id=1117896
• https://bugzilla.suse.com/show_bug.cgi?id=1189642