CVE-2020-24890

libraw 20.0 has a null pointer dereference vulnerability in parse_tiff_ifd in src/metadata/tiff.cpp, which may result in context-dependent arbitrary code execution. Note: this vulnerability occurs only if you compile the software in a certain way
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 61%
VendorProductVersion
librawlibraw
0.20.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libraw
bullseye (security)
unimportant
bullseye
unimportant
bookworm
unimportant
sid
unimportant
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
darktable
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
dne
dcraw
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
dne
exactimage
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
dne
kodi
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
dne
libraw
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
dne
rawtherapee
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
dne
ufraw
focal
dne
bionic
not-affected
xenial
not-affected
trusty
dne
xbmc
focal
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://github.com/LibRaw/LibRaw/issues/335
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWHUZCRMGOC3QS6C65KWBM6ZJM25V6HI/
https://security.gentoo.org/glsa/202010-05
https://github.com/LibRaw/LibRaw/issues/335
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWHUZCRMGOC3QS6C65KWBM6ZJM25V6HI/
https://security.gentoo.org/glsa/202010-05