<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
On 21.11.24 15:32, Ajin Deepak wrote:
<blockquote type="cite"
cite="mid:CAJvOCVnvoN7k+2MM+tG91qq11UFA+SfK+ZqsYJ=sYsxa0VSSbg@mail.gmail.com">
<div dir="ltr">
<div class="gmail-gs"
style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div class="gmail-gE gmail-iv gmail-gt"
style="font-size:0.875rem;padding:20px 0px 0px">
<table class="gmail-cf gmail-gJ"
style="border-collapse:collapse;margin-top:0px;width:auto;font-size:0.875rem;display:block"
cellpadding="0">
<tbody style="display:block">
<tr class="gmail-acZ" style="height:auto;display:flex">
<td class="gmail-gF gmail-gK"
style="padding:0px;vertical-align:top;width:1134.4px;line-height:20px;display:block;max-height:20px"><br>
</td>
<td class="gmail-gH gmail-bAk"
style="text-align:right;vertical-align:top;display:block;max-height:20px"><br>
</td>
<td class="gmail-gH"
style="text-align:right;vertical-align:top;display:flex"><br>
</td>
<td class="gmail-gH gmail-acX gmail-bAm" rowspan="2"
style="text-align:right;vertical-align:top;display:block;max-height:20px"><br>
</td>
</tr>
<tr class="gmail-acZ gmail-xD"
style="height:auto;display:flex">
<td colspan="3"><br>
</td>
</tr>
</tbody>
</table>
</div>
<div class="gmail-">
<div id="gmail-:tb" class="gmail-ii gmail-gt gmail-adO"
style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="gmail-:tc" class="gmail-a3s gmail-aiL"
style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr"> While <code>dcraw</code> is a standalone
CLI tool, it can be integrated into other software.
For example, I saw RawTherapee using dcraw.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
yes, whatever, this is a pretty UI around dcraw, but it is still
software that a user executes. I repeat my question: What service
can suffer under a denial of service attack as you stated in your
first email.<br>
<br>
<blockquote type="cite"
cite="mid:CAJvOCVnvoN7k+2MM+tG91qq11UFA+SfK+ZqsYJ=sYsxa0VSSbg@mail.gmail.com">
<div dir="ltr">
<div class="gmail-gs"
style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div class="gmail-">
<div id="gmail-:tb" class="gmail-ii gmail-gt gmail-adO"
style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="gmail-:tc" class="gmail-a3s gmail-aiL"
style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr"><br>
Address leaks or memory leaks in tools like <code>dcraw</code> could
expose sensitive memory data when run in multi-user
systems, potentially aiding attackers in other
exploits such as bypassing ASLR.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Ok, fine, you need to be able to trick a user to open a special
crafted file and than you are able to get information about the
process the user just started. You are aware that each process gets
its own memory space which is not accessible from other user space
processes, aren't you? So why do you even mention multi-user systems
here? <br>
<br>
<blockquote type="cite"
cite="mid:CAJvOCVnvoN7k+2MM+tG91qq11UFA+SfK+ZqsYJ=sYsxa0VSSbg@mail.gmail.com">
<div dir="ltr">
<div class="gmail-gs"
style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div class="gmail-">
<div id="gmail-:tb" class="gmail-ii gmail-gt gmail-adO"
style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="gmail-:tc" class="gmail-a3s gmail-aiL"
style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr">Let me show you an similar CVE which had
a memory leak<br>
<a
href="https://www.cve.org/CVERecord?id=CVE-2024-7526" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.cve.org/CVERecord?id=CVE-2024-7526</a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
I think there is a difference in a memory leak of a browser, where
you can "accidentally" open a malformed website after you already
visited other webpages with sensitive information and a memory leak
in a software, where you need to receive a malformed file from an
attacker and open this file with dcraw.<br>
Anyway, the NVD base score of this CVE is 6.5, how worrisome. Of
course this is a bug that needs to be fixed, but none that needs any
immediate action.<br>
<br>
<blockquote type="cite"
cite="mid:CAJvOCVnvoN7k+2MM+tG91qq11UFA+SfK+ZqsYJ=sYsxa0VSSbg@mail.gmail.com">
<div dir="ltr">
<div class="gmail-gs"
style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div class="gmail-">
<div id="gmail-:tb" class="gmail-ii gmail-gt gmail-adO"
style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="gmail-:tc" class="gmail-a3s gmail-aiL"
style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr"><br>
You can find a number of them in <a
href="http://cve.org/" target="_blank"
moz-do-not-send="true">cve.org</a>. <br>
<br>
There are a lot of CVEs for CLI tools. For example:
<ul>
<li style="margin-left:15px"><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4799"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4799</a></li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Hmm, NVD base score of 4.3 ...<br>
<br>
<blockquote type="cite"
cite="mid:CAJvOCVnvoN7k+2MM+tG91qq11UFA+SfK+ZqsYJ=sYsxa0VSSbg@mail.gmail.com">
<div dir="ltr">
<div class="gmail-gs"
style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div class="gmail-">
<div id="gmail-:tb" class="gmail-ii gmail-gt gmail-adO"
style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="gmail-:tc" class="gmail-a3s gmail-aiL"
style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr">
<ul>
<li style="margin-left:15px"><a
href="https://www.cve.org/CVERecord?id=CVE-2024-7867" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://www.cve.org/CVERecord?id=CVE-2024-7867</a><br>
</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
... NVD base score of 6.3. This was already evaluated with CVSS 4.0
and got a score of 2.1. I don't think these are good examples to
support your argument about a critical security vulnerability in
dcraw.<br>
<br>
That was also the reason why I asked whether you already applied for
a CVE for your issue. Did you already get one?<br>
<br>
Thorsten<br>
<br>
<br>
<br>
<blockquote type="cite"
cite="mid:CAJvOCVnvoN7k+2MM+tG91qq11UFA+SfK+ZqsYJ=sYsxa0VSSbg@mail.gmail.com">
<div dir="ltr">
<div class="gmail-gs"
style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div class="gmail-">
<div id="gmail-:tb" class="gmail-ii gmail-gt gmail-adO"
style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="gmail-:tc" class="gmail-a3s gmail-aiL"
style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr">
<ul>
<li style="margin-left:15px"><br>
</li>
</ul>
<div>I understand your concern and thanks for your
patience</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Debian-astro-maintainers mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Debian-astro-maintainers@alioth-lists.debian.net">Debian-astro-maintainers@alioth-lists.debian.net</a>
<a class="moz-txt-link-freetext" href="https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-astro-maintainers">https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-astro-maintainers</a>
</pre>
</blockquote>
<br>
</body>
</html>