Hi, On Fri, 22 Nov 2024, Ajin Deepak wrote:
To address your first question, in the context of *dcraw*, a denial of service (DoS) vulnerability refers to the software's inability to handle malformed files appropriately. A specially crafted file can cause the application to crash, disrupting its functionality for users relying on it for image processing. While it is not a networked "service," this still constitutes a DoS as it prevents the intended use of the tool.
this sounds like the definition of a mere bug. I have never seen this being called a DoS. Whatever, if you like to call it this way ...
Additionally, the issue highlighted here involves a memory leak. This leak exposes memory addresses that could assist in exploiting other vulnerabilities, such as buffer overflows.
So what? Even if you are able to execute some code, you can only get information from one user of the system. Back to the beginning of this discussion: this looks like just an unimportant or minor issue and is far away from the overhyped critical issue that you wanted to create in your first mail. Anybody who processes files from unknown sources of the internet has a share of the blame in case bad things happen.
Apologies for the confusion earlier regarding multi-user systems—I was referring to scenarios involving privilege escalation. Tools installed by the root user often have elevated privileges or capabilities, especially if they run with *setuid* permissions or interact with privileged system components. If such a tool has vulnerabilities and is executed by a non-privileged user, exploiting it could escalate the attacker's privileges to root or other users, as in the scenarios you mentioned.
Sure but this isn't related to dcraw, is it?
webpage .However, even if such cases are not immediately exploitable, patching these issues is essential. Left unaddressed, they could potentially aid exploitation when combined with other vulnerabilities in a chain.
No it is by far not essential. Applying a patch always involves the danger of introducing a regression. It is by far worse to not be able to process an image with dcraw at all than to have no fix for a fictional security issue.
And yes I did apply for CVE after your reply.
Great, please share the number. Thorsten
