oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

LibRaw 0.22.1 Release with security fixes

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Sat, 11 Apr 2026 09:42:42 -0700
https://www.libraw.org/news/libraw-0-22-1-release announces:

LibRaw 0.22.1 Release is just published in our Github repository
<https://github.com/LibRaw/LibRaw> and this site download section
<https://www.libraw.org/download>.

This is bugfix-only release with these commits included:

 * Limit strcat space in hassy model manipulation
 * Version increment; shlib increment: internal ABI has changed
 * check panasonic enc8 tile width against image width
 * CR3 parser: zero all buffers before fread
 * skip memory allocation checks for OWN_ALLOC decoders
 * DNG SDK glue: check for memory limits
 * raw2image()/dcraw_process() - check for int16 source data present
 * Check for correct bayer pattern, pass incorect ones to vng_interpolate
 * parse_rollei: zero input string before fgets
 * Nikon padded/12bit: no need to calculate padded row size before final
   raw_width adjustment
 * TALOS-2026-2364: Fix for data size calculation integer overflow in
   float/deflated DNG loader; Check for read results
 * Fix for TALOS-2026-2363: avoid integer overflow in allocation size
   calculation. Also: check for EOF in read loop
 * X3F decoder: implemented hard single allocation limit via
   LIBRAW_X3F_ALLOC_LIMIT_MB define;
 * allocation size calculation converted to 64 bit arithm; fix for
   TALOS-2026-2359
 * Fix for TALOS-2026-2358
 * Fix for TALOS-2026-2331
 * Fix for TALOS-2026-2330
 * Sony YCC decoder: check tile size; add +3 bytes to input buffer to avoid
   possible overrun in huffman decoder
 * FP DNG data limit: perform calculations in 64 bit
 * Add extra huff_coeff item to handle huff_index==17 with known (zero) value,
   not externally provided tag value
 * use %lld format for timestamp parse/print where appropriate
 * nikon coolscan loader: check for EOF
 * Initialize olympus lensID bits
 * CR3 parser: all file offsets are unsigned/64bit; check current offset
   against file size
 * Add Canon EOS Kiss M2 to camera list
 * Check real color count against filters; do not pass really 4-color images
   to fbdd or advanced demosaic
 * Use LIBRAW_EXCEPTION instead of own internal in losslessjpeg.h
 * zero input string to avoid compare random stack garbage with tag names
 * Check for eof in Pentax tag search loop
 * Fuji decoder: initialize allocated buffers


Further information about the vulnerabilities reported by Cisco Talos can be
found in their reports:

- TALOS-2026-2330 / CVE-2026-20911
  LibRaw HuffTable::initval heap-based buffer overflow vulnerability
  https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330

  A heap-based buffer overflow vulnerability exists in the HuffTable::initval
  functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially
  crafted malicious file can lead to a heap buffer overflow. An attacker
  can provide a malicious file to trigger this vulnerability.

- TALOS-2026-2331 / CVE-2026-21413
  LibRaw lossless_jpeg_load_raw heap-based buffer overflow vulnerability
  https://talosintelligence.com/vulnerability_reports/TALOS-2026-2331

  A heap-based buffer overflow vulnerability exists in the
  lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and
  Commit d20315b. A specially crafted malicious file can lead to a heap buffer
  overflow. An attacker can provide a malicious file to trigger this
  vulnerability.

- TALOS-2026-2358 / CVE-2026-20889
  LibRaw x3f_thumb_loader heap-based buffer overflow vulnerability
  https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358

  A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader
  functionality of LibRaw Commit d20315b. A specially crafted malicious file
  can lead to a heap buffer overflow. An attacker can provide a malicious file
  to trigger this vulnerability.

- TALOS-2026-2359 / CVE-2026-24660
  LibRaw x3f_load_huffman heap-based buffer overflow vulnerability
  https://talosintelligence.com/vulnerability_reports/TALOS-2026-2359

  A heap-based buffer overflow vulnerability exists in the x3f_load_huffman
  functionality of LibRaw Commit d20315b. A specially crafted malicious file
  can lead to a heap buffer overflow. An attacker can provide a malicious file
  to trigger this vulnerability.

- TALOS-2026-2363 / CVE-2026-24450
  LibRaw uncompressed_fp_dng_load_raw integer overflow vulnerability
  https://talosintelligence.com/vulnerability_reports/TALOS-2026-2363

  An integer overflow vulnerability exists in the uncompressed_fp_dng_load_raw
  functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file
  can lead to a heap buffer overflow. An attacker can provide a malicious file
  to trigger this vulnerability.

- TALOS-2026-2364 / CVE-2026-20884
  LibRaw deflate_dng_load_raw integer overflow vulnerability
  https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364

  An integer overflow vulnerability exists in the deflate_dng_load_raw
  functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file
  can lead to a heap buffer overflow. An attacker can provide a malicious file
  to trigger this vulnerability.

Additional CVEs also appear to have been issued for some of the fixes:

- CVE-2026-5318 appears to be a duplicate for independent reporting of the
  TALOS-2026-2330 / CVE-2026-20911 issue in
  https://github.com/LibRaw/LibRaw/issues/794

- CVE-2026-5342 for the fix listed above as "Nikon padded/12bit: no need to
  calculate padded row size before final raw_width adjustment" and originally
  reported in https://github.com/LibRaw/LibRaw/issues/795

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: