[Debian-astro-maintainers] Bug#1087911: Bug#1087911:

Thorsten Alteholz debian at alteholz.de
Fri Nov 22 00:06:09 GMT 2024 

Hi,

On Fri, 22 Nov 2024, Ajin Deepak wrote:
> To address your first question, in the context of *dcraw*, a denial of
> service (DoS) vulnerability refers to the software's inability to handle
> malformed files appropriately. A specially crafted file can cause the
> application to crash, disrupting its functionality for users relying on it
> for image processing. While it is not a networked "service," this still
> constitutes a DoS as it prevents the intended use of the tool.

this sounds like the definition of a mere bug. I have never seen this 
being called a DoS. Whatever, if you like to call it this way ...

> Additionally, the issue highlighted here involves a memory leak. This leak
> exposes memory addresses that could assist in exploiting other
> vulnerabilities, such as buffer overflows.

So what? Even if you are able to execute some code, you can only get 
information from one user of the system. Back to the beginning of this 
discussion: this looks like just an unimportant or minor issue and is far 
away from the overhyped critical issue that you wanted to create in your 
first mail.
Anybody who processes files from unknown sources of the internet has a 
share of the blame in case bad things happen.

> Apologies for the confusion earlier regarding multi-user systems—I was
> referring to scenarios involving privilege escalation. Tools installed by
> the root user often have elevated privileges or capabilities, especially if
> they run with *setuid* permissions or interact with privileged system
> components. If such a tool has vulnerabilities and is executed by a
> non-privileged user, exploiting it could escalate the attacker's privileges
> to root or other users, as in the scenarios you mentioned.

Sure but this isn't related to dcraw, is it?

> webpage .However, even if such cases are not immediately exploitable,
> patching these issues is essential. Left unaddressed, they could
> potentially aid exploitation when combined with other vulnerabilities in a
> chain.

No it is by far not essential. Applying a patch always involves the danger 
of introducing a regression. It is by far worse to not be able to process 
an image with dcraw at all than to have no fix for a fictional security 
issue.

> And yes I did apply for CVE after your reply.

Great, please share the number.

   Thorsten

More information about the Debian-astro-maintainers mailing list