Security update for libraw

Announcement ID:	SUSE-SU-2019:0005-1
Rating:	moderate
References:	bsc#1097975 bsc#1103200 bsc#1103206
Cross-References:	CVE-2018-5804 CVE-2018-5813 CVE-2018-5815 CVE-2018-5816
CVSS scores:	CVE-2018-5804 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-5804 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-5813 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-5813 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-5815 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-5815 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-5816 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Workstation Extension 15

An update that solves four vulnerabilities can now be installed.

Description:

This update for libraw fixes the following issues:

Security issues fixed:

The following security vulnerabilities were addressed:

• CVE-2018-5813: Fixed an error within the "parse_minolta()" function (dcraw/dcraw.c) that could be exploited to trigger an infinite loop via a specially crafted file. This could be exploited to cause a DoS.(boo#1103200).
• CVE-2018-5815: Fixed an integer overflow in the internal/dcraw_common.cpp:parse_qt() function, that could be exploited to cause an infinite loop via a specially crafted Apple QuickTime file. (boo#1103206)
• CVE-2018-5804,CVE-2018-5816: Fixed a type confusion error in the identify function (bsc#1097975)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 15
  zypper in -t patch SUSE-SLE-Product-WE-15-2019-5=1

Package List:

• SUSE Linux Enterprise Workstation Extension 15 (x86_64)
  • libraw-debugsource-0.18.9-3.5.1
  • libraw16-debuginfo-0.18.9-3.5.1
  • libraw-debuginfo-0.18.9-3.5.1
  • libraw16-0.18.9-3.5.1
  • libraw-devel-0.18.9-3.5.1

References:

• https://www.suse.com/security/cve/CVE-2018-5804.html
• https://www.suse.com/security/cve/CVE-2018-5813.html
• https://www.suse.com/security/cve/CVE-2018-5815.html
• https://www.suse.com/security/cve/CVE-2018-5816.html
• https://bugzilla.suse.com/show_bug.cgi?id=1097975
• https://bugzilla.suse.com/show_bug.cgi?id=1103200
• https://bugzilla.suse.com/show_bug.cgi?id=1103206