important: LibRaw/python3.11-setuptools security update
important
An update for LibRaw/python3.11-setuptools is now available for NewStart CGSL MAIN 6.06.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
LibRaw:
python3.11-setuptools:
Security Fix(es):
LibRaw: The "faster LJPEG decoder" in libraw 0.13.x, 0.14.x, and 0.15.x before 0.15.4 allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via a crafted photo file.(CVE-2013-1439)
LibRaw: Multiple double free vulnerabilities in the LibRaw::unpack function in libraw_cxx.cpp in LibRaw before 0.15.2 allow context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a malformed full-color (1) Foveon or (2) sRAW image file.(CVE-2013-2126)
LibRaw: Array index error in smal_decode_segment function in LibRaw before 0.17.1 allows context-dependent attackers to cause memory errors and possibly execute arbitrary code via vectors related to indexes.(CVE-2015-8366)
LibRaw: The phase_one_correct function in Libraw before 0.17.1 allows attackers to cause memory errors and possibly execute arbitrary code, related to memory object initialization.(CVE-2015-8367)
LibRaw: There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack.(CVE-2017-13735)
LibRaw: before 0.18.4 has a heap-based Buffer Overflow in the processCanonCameraInfo function via a crafted file.(CVE-2017-14348)
LibRaw: before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.tlength.(CVE-2020-15503)
LibRaw: A flaw was found in the libraw library. This issue occurs due to an out-of-bounds read vulnerability that exists within the "LibRaw::stretch()" function (libraw\src\postprocessing\aspect_ratio.cpp) when parsing a crafted CRW file.(CVE-2020-22628)
LibRaw: A stack buffer overflow vulnerability was found in LibRaw. This flaw allows a malicious user to send a crafted image that, when parsed by an application linked to LibRaw, leads to a denial of service or potential code execution.(CVE-2020-24870)
LibRaw: bugfix
python3.11-setuptools: A flaw was found in the package_index module of pypa/setuptools. Affected versions of this package allow remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system.(CVE-2024-6345)
python3.11-setuptools: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.06.10B5.