Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-15503

LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.tlength.

Published

2020-07-02T14:15:11.683

Last Modified

2024-11-21T05:05:39.190

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	libraw	libraw	≤ 0.19.5	Yes
Application	libraw	libraw	0.20	Yes
Application	libraw	libraw	0.20	Yes
Application	libraw	libraw	0.20	Yes
Operating System	fedoraproject	fedora	31	Yes
Operating System	fedoraproject	fedora	32	Yes
Operating System	debian	debian_linux	10.0	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00075.html Broken Link, Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00001.html Broken Link, Mailing List, Third Party Advisory ([email protected])
https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d Patch, Third Party Advisory ([email protected])
https://github.com/LibRaw/LibRaw/compare/0.20-Beta3...0.20-RC1 Release Notes, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/11/msg00042.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HM2DS6HA4YZREI3BYGS75M6D76WMW62/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSXAJKZ4VNDYVQULJNY4XDPWHIJDTB4P/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNGDWTO45TU4KGND75EUUEGUMNSOYC7H/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCVKD7PTO7UQAVUTBHJAKBKYLPQQGAMZ/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y34ALB34P3NGQXLF7BG7R6DGRX6XL2JN/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZETDVPZQWZWVGIG6JTIEKP5KPVMUE7Y/ ([email protected])
https://www.libraw.org/news/libraw-0-20-rc1 Broken Link, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00075.html Broken Link, Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00001.html Broken Link, Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/LibRaw/LibRaw/compare/0.20-Beta3...0.20-RC1 Release Notes, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/11/msg00042.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HM2DS6HA4YZREI3BYGS75M6D76WMW62/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSXAJKZ4VNDYVQULJNY4XDPWHIJDTB4P/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNGDWTO45TU4KGND75EUUEGUMNSOYC7H/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCVKD7PTO7UQAVUTBHJAKBKYLPQQGAMZ/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y34ALB34P3NGQXLF7BG7R6DGRX6XL2JN/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZETDVPZQWZWVGIG6JTIEKP5KPVMUE7Y/ (af854a3a-2127-422b-91ae-364da2661108)
https://www.libraw.org/news/libraw-0-20-rc1 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)