CVE-2018-19655

A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
dcraw_projectdcraw
𝑥
≤ 9.28
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dcraw
bullseye
9.28-2
fixed
bookworm
9.28-3
fixed
sid
9.28-7
fixed
trixie
9.28-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dcraw
noble
Fixed 9.28-2
released
mantic
Fixed 9.28-2
released
lunar
Fixed 9.28-2
released
kinetic
Fixed 9.28-2
released
jammy
Fixed 9.28-2
released
impish
Fixed 9.28-2
released
hirsute
Fixed 9.28-2
released
groovy
Fixed 9.28-2
released
focal
Fixed 9.28-2
released
eoan
Fixed 9.28-2
released
disco
Fixed 9.28-2
released
cosmic
Fixed 9.28-2
released
bionic
needs-triage
xenial
needs-triage
trusty
dne
ufraw
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
eoan
dne
disco
not-affected
cosmic
Fixed 0.22-3.1~build0.18.14.1
released
bionic
Fixed 0.22-3.1~build0.18.04.1
released
xenial
needed
trusty
dne
Common Weakness Enumeration
References
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890086
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906529
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3JX4A5F4DWP6NOEULXQXZ5AIH4GA62U/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RD65NMWZ5OQNUIF7CLGKLDG4LVPPMJY7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XK4SHVVIZT6FHJVHOQSAFJMQWDLMWKDE/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890086
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906529
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3JX4A5F4DWP6NOEULXQXZ5AIH4GA62U/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RD65NMWZ5OQNUIF7CLGKLDG4LVPPMJY7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XK4SHVVIZT6FHJVHOQSAFJMQWDLMWKDE/