CVE-2015-8366

Name	CVE-2015-8366
Description	Array index error in smal_decode_segment function in LibRaw before 0.17.1 allows context-dependent attackers to cause memory errors and possibly execute arbitrary code via vectors related to indexes.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	806809, 818882, 864168

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
darktable (PTS)	bullseye	3.4.1-5	fixed
	bookworm	4.2.1-4	fixed
	sid, trixie	5.0.1-1	fixed
dcraw (PTS)	bullseye	9.28-2	fixed
	bookworm	9.28-3	fixed
	sid, trixie	9.28-8	fixed
exactimage (PTS)	bullseye	1.0.2-8	fixed
	bookworm	1.0.2-11	fixed
	sid, trixie	1.2.1-2	fixed
kodi (PTS)	bullseye	2:19.1+dfsg2-2+deb11u1	fixed
	bookworm	2:20.1+dfsg-1	fixed
	sid, trixie	2:21.2+dfsg-4	fixed
libraw (PTS)	bullseye (security), bullseye	0.20.2-1+deb11u1	fixed
	bookworm	0.20.2-2.1	fixed
	trixie	0.21.3-1	fixed
	sid	0.21.4-2	fixed
rawtherapee (PTS)	bullseye	5.8-3	fixed
	bookworm	5.9-1	fixed
	sid, trixie	5.11-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
darktable	source	squeeze	(not affected)
darktable	source	wheezy	(not affected)
darktable	source	jessie	(not affected)
darktable	source	(unstable)	2.0.0-1
dcraw	source	squeeze	(not affected)
dcraw	source	wheezy	(not affected)
dcraw	source	(unstable)	9.28-1	864168
exactimage	source	squeeze	(not affected)
exactimage	source	wheezy	(not affected)
exactimage	source	jessie	0.8.9-7+deb8u2
exactimage	source	(unstable)	0.9.1-13
kodi	source	(unstable)	(not affected)
libraw	source	squeeze	(not affected)
libraw	source	wheezy	(not affected)
libraw	source	jessie	0.16.0-9+deb8u2
libraw	source	(unstable)	0.17.1-1	806809
rawtherapee	source	squeeze	(not affected)
rawtherapee	source	wheezy	(not affected)
rawtherapee	source	jessie	4.2-1+deb8u2
rawtherapee	source	(unstable)	4.2.1241-2
ufraw	source	squeeze	(not affected)
ufraw	source	wheezy	(not affected)
ufraw	source	(unstable)	0.20-4	818882

Notes

[wheezy] - libraw <not-affected> (Vulnerable code not present)
[squeeze] - libraw <not-affected> (Vulnerable code not present)
[stretch] - dcraw <no-dsa> (Minor issue)
[jessie] - dcraw <no-dsa> (Minor issue)
[wheezy] - dcraw <not-affected> (Vulnerable code not present)
[squeeze] - dcraw <not-affected> (Vulnerable code not present)
- kodi <not-affected> (Vulnerable code not present)
[jessie] - darktable <not-affected> (Vulnerable code not present)
[wheezy] - darktable <not-affected> (Vulnerable code not present)
[squeeze] - darktable <not-affected> (Vulnerable code not present)
[jessie] - ufraw <no-dsa> (Minor issue)
[wheezy] - ufraw <not-affected> (Vulnerable code not present)
[squeeze] - ufraw <not-affected> (Vulnerable code not present)
[wheezy] - rawtherapee <not-affected> (Vulnerable code not present)
[squeeze] - rawtherapee <not-affected> (Vulnerable code not present)
[wheezy] - exactimage <not-affected> (Vulnerable code not present)
[squeeze] - exactimage <not-affected> (Vulnerable code not present)
exactimage: smal_decode_segment inside dcraw.h not dcraw.c
Fixed by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2