<div dir="ltr">Hi,<br><br><p>To address your first question, in the context of <em>dcraw</em>, a denial of service (DoS) vulnerability refers to the software's inability to handle malformed files appropriately. A specially crafted file can cause the application to crash, disrupting its functionality for users relying on it for image processing. While it is not a networked "service," this still constitutes a DoS as it prevents the intended use of the tool. Additionally, the issue highlighted here involves a memory leak. This leak exposes memory addresses that could assist in exploiting other vulnerabilities, such as buffer overflows.</p><p><br>Apologies for the confusion earlier regarding multi-user systems—I was referring to scenarios involving privilege escalation. Tools installed by the root user often have elevated privileges or capabilities, especially if they run with <em>setuid</em> permissions or interact with privileged system components. If such a tool has vulnerabilities and is executed by a non-privileged user, exploiting it could escalate the attacker's privileges to root or other users, as in the scenarios you mentioned.</p><p>Regarding the difference between memory leaks in a browser and a standalone tool like <em>dcraw</em>, you are correct: in a browser, a user might inadvertently visit a malicious website after accessing sensitive pages, which poses an immediate risk. With <em>dcraw</em>, a user would need to receive and intentionally open a malformed file. But even in CVE it's an uninitialized memory leak, these are not exploitable by just visiting a webpage .However, even if such cases are not immediately exploitable, patching these issues is essential. Left unaddressed, they could potentially aid exploitation when combined with other vulnerabilities in a chain.<br><br>And yes I did apply for CVE after your reply.</p><br><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Nov 22, 2024 at 12:10 AM Thorsten Alteholz <<a href="mailto:debian@alteholz.de">debian@alteholz.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
On 21.11.24 15:32, Ajin Deepak wrote:
<blockquote type="cite">
<div dir="ltr">
<div style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div style="font-size:0.875rem;padding:20px 0px 0px">
<table style="border-collapse:collapse;margin-top:0px;width:auto;font-size:0.875rem;display:block" cellpadding="0">
<tbody style="display:block">
<tr style="height:auto;display:flex">
<td style="padding:0px;vertical-align:top;width:1134.4px;line-height:20px;display:block;max-height:20px"><br>
</td>
<td style="text-align:right;vertical-align:top;display:block;max-height:20px"><br>
</td>
<td style="text-align:right;vertical-align:top;display:flex"><br>
</td>
<td rowspan="2" style="text-align:right;vertical-align:top;display:block;max-height:20px"><br>
</td>
</tr>
<tr style="height:auto;display:flex">
<td colspan="3"><br>
</td>
</tr>
</tbody>
</table>
</div>
<div>
<div id="m_-425113067950015497gmail-:tb" style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="m_-425113067950015497gmail-:tc" style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr"> While <code>dcraw</code> is a standalone
CLI tool, it can be integrated into other software.
For example, I saw RawTherapee using dcraw.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
yes, whatever, this is a pretty UI around dcraw, but it is still
software that a user executes. I repeat my question: What service
can suffer under a denial of service attack as you stated in your
first email.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div>
<div id="m_-425113067950015497gmail-:tb" style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="m_-425113067950015497gmail-:tc" style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr"><br>
Address leaks or memory leaks in tools like <code>dcraw</code> could
expose sensitive memory data when run in multi-user
systems, potentially aiding attackers in other
exploits such as bypassing ASLR.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Ok, fine, you need to be able to trick a user to open a special
crafted file and than you are able to get information about the
process the user just started. You are aware that each process gets
its own memory space which is not accessible from other user space
processes, aren't you? So why do you even mention multi-user systems
here? <br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div>
<div id="m_-425113067950015497gmail-:tb" style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="m_-425113067950015497gmail-:tc" style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr">Let me show you an similar CVE which had
a memory leak<br>
<a href="https://www.cve.org/CVERecord?id=CVE-2024-7526" target="_blank">https://www.cve.org/CVERecord?id=CVE-2024-7526</a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
I think there is a difference in a memory leak of a browser, where
you can "accidentally" open a malformed website after you already
visited other webpages with sensitive information and a memory leak
in a software, where you need to receive a malformed file from an
attacker and open this file with dcraw.<br>
Anyway, the NVD base score of this CVE is 6.5, how worrisome. Of
course this is a bug that needs to be fixed, but none that needs any
immediate action.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div>
<div id="m_-425113067950015497gmail-:tb" style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="m_-425113067950015497gmail-:tc" style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr"><br>
You can find a number of them in <a href="http://cve.org/" target="_blank">cve.org</a>. <br>
<br>
There are a lot of CVEs for CLI tools. For example:
<ul>
<li style="margin-left:15px"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4799" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4799</a></li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Hmm, NVD base score of 4.3 ...<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div>
<div id="m_-425113067950015497gmail-:tb" style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="m_-425113067950015497gmail-:tc" style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr">
<ul>
<li style="margin-left:15px"><a href="https://www.cve.org/CVERecord?id=CVE-2024-7867" target="_blank">https://www.cve.org/CVERecord?id=CVE-2024-7867</a><br>
</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
... NVD base score of 6.3. This was already evaluated with CVSS 4.0
and got a score of 2.1. I don't think these are good examples to
support your argument about a critical security vulnerability in
dcraw.<br>
<br>
That was also the reason why I asked whether you already applied for
a CVE for your issue. Did you already get one?<br>
<br>
Thorsten<br>
<br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div style="margin:0px;min-width:0px;padding:0px 0px 20px;width:initial;font-family:"Google Sans",Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium">
<div>
<div id="m_-425113067950015497gmail-:tb" style="direction:ltr;margin:8px 0px 0px;padding:0px;font-size:0.875rem;overflow-x:hidden">
<div id="m_-425113067950015497gmail-:tc" style="direction:ltr;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif;overflow:auto hidden">
<div dir="ltr">
<ul>
<li style="margin-left:15px"><br>
</li>
</ul>
<div>I understand your concern and thanks for your
patience</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Debian-astro-maintainers mailing list
<a href="mailto:Debian-astro-maintainers@alioth-lists.debian.net" target="_blank">Debian-astro-maintainers@alioth-lists.debian.net</a>
<a href="https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-astro-maintainers" target="_blank">https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-astro-maintainers</a>
</pre>
</blockquote>
<br>
</div>
</blockquote></div>