[Pkg-phototools-devel] Bug#711316: Bug#711316: darktable: CVE-2013-2126: double free
David Bremner
bremner at debian.org
Thu Jun 6 19:57:31 UTC 2013
Raphael Geissert <geissert at debian.org> writes:
> Package: darktable
> Severity: grave
> Tags: security patch
>
> Hi,
>
> There's a double free in the embedded copy of libraw included in your package.
> If possible, please use the system copy instead.
So far, this still seems to be impossible, as discussed in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682980
>
> For more info:
> http://www.openwall.com/lists/oss-security/2013/05/29/7
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710353#17
>
> Could you please prepare fixed packages for stable, to be included in
> point releases?
I'm not sure yet that the vulnerability occurs in the version of libraw
embedded in darktable. There is some relevant discussion on the
darktable developers list
http://article.gmane.org/gmane.comp.graphics.darktable.devel/2628
If nothing else, the proposed patch won't apply, because raw_alloc
doesn't occur at all in src/External/LibRaw/src/libraw_cxx.cpp
I'll update the bug when I know more.
d
More information about the Pkg-phototools-devel
mailing list