-------------------------------------------------------------------------
Debian LTS Advisory DLA-4142-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
April 29, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libraw
Version : 0.20.2-1+deb11u2
CVE ID : CVE-2025-43961 CVE-2025-43962 CVE-2025-43963 CVE-2025-43964
Debian Bug : 1103781 1103782 1103783
LibRaw is a library for reading RAW files obtained from digital photo cameras
(CRW/CR2, NEF, RAF, DNG, and others).
CVE-2025-43961
metadata/tiff.cpp has an out-of-bounds read in the Fujifilm 0xf00c tag
parser.
CVE-2025-43962
phase_one_correct in decoders/load_mfbacks.cpp has out-of-bounds reads for
tag 0x412 processing, related to large w0 or w1 values or the frac and mult
calculations.
CVE-2025-43963
phase_one_correct in decoders/load_mfbacks.cpp allows out-of-buffer access
because split_col and split_row values are not checked in 0x041f tag
processing.
CVE-2025-43964
tag 0x412 processing in phase_one_correct in decoders/load_mfbacks.cpp does
not enforce minimum w0 and w1 values.
For Debian 11 bullseye, these problems have been fixed in version
0.20.2-1+deb11u2.
We recommend that you upgrade your libraw packages.
For the detailed security status of libraw please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libraw
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature