oss-sec mailing list archives
Re: Crashes and memory safety bugs in dcraw
From: Ian Zimmerman <itz () very loosely org>
Date: Fri, 23 Nov 2018 09:17:43 -0800
On 2018-11-23 09:22, Hanno Böck wrote:
dcraw is a tool to process raw images from digital cameras. It easily crashes with various issues (tested version 9.28.0). This was very shallow testing (afl fuzzing with random inputs, not starting with valid images), I assume there's much more. I reported those a long time ago to its author, he didn't seem interested in fixing such issues. Some applications use dcraw automatically to parse images (gthumb, kphotoalbum, kde thumbnailers, gwenview).
An important side note: because dcraw intentionally doesn't provide a library, only an executable, code from it is bundled in at least some applications that use it; thus updating the dcraw package in a distro will not by itself be the end of this problem for the distro. One such application : RawTherapee -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
Current thread:
- Crashes and memory safety bugs in dcraw Hanno Böck (Nov 23)
- Re: Crashes and memory safety bugs in dcraw Agostino Sarubbo (Nov 23)
- Re: Crashes and memory safety bugs in dcraw Hanno Böck (Nov 23)
- Re: Crashes and memory safety bugs in dcraw Marcus Meissner (Nov 23)
- Re: Crashes and memory safety bugs in dcraw Ian Zimmerman (Nov 23)
- Re: Re: Crashes and memory safety bugs in dcraw Bob Friesenhahn (Nov 23)
- Re: Crashes and memory safety bugs in dcraw Marcus Meissner (Nov 27)
- Re: Crashes and memory safety bugs in dcraw Agostino Sarubbo (Nov 23)