CVE-2020-15503 — HIGH (7.5)

Q: How severe is CVE-2020-15503?

CVE-2020-15503 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-15503?

Check the references section above for vendor advisories and patch information. Affected products include: Libraw Libraw, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.tlength.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libraw	Libraw	<= 0.19.5
Fedoraproject	Fedora	31
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-20

References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00075.htmlBroken LinkMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00001.htmlBroken LinkMailing ListThird Party Advisory
https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864dPatchThird Party Advisory
https://github.com/LibRaw/LibRaw/compare/0.20-Beta3...0.20-RC1Release NotesThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00042.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.libraw.org/news/libraw-0-20-rc1Broken LinkThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00075.htmlBroken LinkMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00001.htmlBroken LinkMailing ListThird Party Advisory
https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864dPatchThird Party Advisory

FAQ

What is CVE-2020-15503?

CVE-2020-15503 is a vulnerability with a CVSS score of 7.5 (HIGH). LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_...

How severe is CVE-2020-15503?

CVE-2020-15503 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-15503?

Check the references section above for vendor advisories and patch information. Affected products include: Libraw Libraw, Fedoraproject Fedora, Debian Debian Linux.