[Debian-astro-maintainers] Bug#1087911: Bug#1087911:

[Ajin Deepak]

Hi,

I understand your concerns. Here is the CVE number: 1775652

On Fri, 22 Nov, 2024, 6:00 am Thorsten Alteholz, <debian at alteholz.de> wrote:

> Hi,
>
> On Fri, 22 Nov 2024, Ajin Deepak wrote:
> > To address your first question, in the context of *dcraw*, a denial of
> > service (DoS) vulnerability refers to the software's inability to handle
> > malformed files appropriately. A specially crafted file can cause the
> > application to crash, disrupting its functionality for users relying on
> it
> > for image processing. While it is not a networked "service," this still
> > constitutes a DoS as it prevents the intended use of the tool.
>
> this sounds like the definition of a mere bug. I have never seen this
> being called a DoS. Whatever, if you like to call it this way ...
>
> > Additionally, the issue highlighted here involves a memory leak. This
> leak
> > exposes memory addresses that could assist in exploiting other
> > vulnerabilities, such as buffer overflows.
>
> So what? Even if you are able to execute some code, you can only get
> information from one user of the system. Back to the beginning of this
> discussion: this looks like just an unimportant or minor issue and is far
> away from the overhyped critical issue that you wanted to create in your
> first mail.
> Anybody who processes files from unknown sources of the internet has a
> share of the blame in case bad things happen.
>
> > Apologies for the confusion earlier regarding multi-user systems—I was
> > referring to scenarios involving privilege escalation. Tools installed by
> > the root user often have elevated privileges or capabilities, especially
> if
> > they run with *setuid* permissions or interact with privileged system
> > components. If such a tool has vulnerabilities and is executed by a
> > non-privileged user, exploiting it could escalate the attacker's
> privileges
> > to root or other users, as in the scenarios you mentioned.
>
> Sure but this isn't related to dcraw, is it?
>
> > webpage .However, even if such cases are not immediately exploitable,
> > patching these issues is essential. Left unaddressed, they could
> > potentially aid exploitation when combined with other vulnerabilities in
> a
> > chain.
>
> No it is by far not essential. Applying a patch always involves the danger
> of introducing a regression. It is by far worse to not be able to process
> an image with dcraw at all than to have no fix for a fictional security
> issue.
>
> > And yes I did apply for CVE after your reply.
>
> Great, please share the number.
>
>    Thorsten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-astro-maintainers/attachments/20241122/baa37030/attachment.htm>