CVE-2015-8366

NameCVE-2015-8366
DescriptionIndex overflow in smal_decode_segment
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
Debian Bugs806809, 818882

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
darktable (PTS)wheezy1.0.4-1+deb7u2fixed
jessie1.4.2-1+deb8u1fixed
stretch, sid2.2.1-3fixed
dcraw (PTS)wheezy8.99-1fixed
jessie9.21-0.2vulnerable
stretch, sid9.27-1vulnerable
exactimage (PTS)wheezy0.8.5-5+deb7u4fixed
wheezy (security)0.8.5-5+deb7u3fixed
jessie0.8.9-7+deb8u2fixed
stretch, sid0.9.1-16fixed
kodi (PTS)stretch, sid2:17.0+dfsg1-3fixed
libraw (PTS)wheezy0.14.6-2+deb7u1fixed
jessie0.16.0-9+deb8u2fixed
stretch, sid0.17.2-6fixed
rawtherapee (PTS)wheezy4.0.9-4+deb7u1fixed
jessie4.2-1+deb8u2fixed
stretch, sid5.0-1fixed
ufraw (PTS)wheezy0.18-2fixed
jessie0.20-2+deb8u1vulnerable
stretch, sid0.22-1.1fixed
xbmc (PTS)wheezy2:11.0~git20120510.82388d5-1fixed
jessie2:13.2+dfsg1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
darktablesource(unstable)2.0.0-1
darktablesourcejessie(not affected)
darktablesourcesqueeze(not affected)
darktablesourcewheezy(not affected)
dcrawsource(unstable)(unfixed)
dcrawsourcesqueeze(not affected)
dcrawsourcewheezy(not affected)
exactimagesource(unstable)0.9.1-13
exactimagesourcejessie0.8.9-7+deb8u2
exactimagesourcesqueeze(not affected)
exactimagesourcewheezy(not affected)
kodisource(unstable)(not affected)
librawsource(unstable)0.17.1-1806809
librawsourcejessie0.16.0-9+deb8u2
librawsourcesqueeze(not affected)
librawsourcewheezy(not affected)
rawtherapeesource(unstable)4.2.1241-2
rawtherapeesourcejessie4.2-1+deb8u2
rawtherapeesourcesqueeze(not affected)
rawtherapeesourcewheezy(not affected)
ufrawsource(unstable)0.20-4818882
ufrawsourcesqueeze(not affected)
ufrawsourcewheezy(not affected)
xbmcsource(unstable)(not affected)
xbmcsourcejessie(not affected)
xbmcsourcewheezy(not affected)

Notes

[wheezy] - libraw <not-affected> (Vulnerable code not present)
[squeeze] - libraw <not-affected> (Vulnerable code not present)
[jessie] - dcraw <no-dsa> (Minor issue)
[wheezy] - dcraw <not-affected> (Vulnerable code not present)
[squeeze] - dcraw <not-affected> (Vulnerable code not present)
- kodi <not-affected> (Vulnerable code not present)
[jessie] - darktable <not-affected> (Vulnerable code not present)
[wheezy] - darktable <not-affected> (Vulnerable code not present)
[squeeze] - darktable <not-affected> (Vulnerable code not present)
[jessie] - ufraw <no-dsa> (Minor issue)
[wheezy] - ufraw <not-affected> (Vulnerable code not present)
[squeeze] - ufraw <not-affected> (Vulnerable code not present)
[wheezy] - rawtherapee <not-affected> (Vulnerable code not present)
[squeeze] - rawtherapee <not-affected> (Vulnerable code not present)
[wheezy] - exactimage <not-affected> (Vulnerable code not present)
[squeeze] - exactimage <not-affected> (Vulnerable code not present)
exactimage: smal_decode_segment inside dcraw.h not dcraw.c
[jessie] - xbmc <not-affected> (Transitional dummy package)
[wheezy] - xbmc <not-affected> (Vulnerable code not present)
Fixed by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2

Search for package or bug name: Reporting problems