CVE-2021-3624 — Improper Input Validation in Project Dcraw

CWE-20 — Improper Input Validation CWE-190 — Integer Overflow or Wraparound CWE-787 — Out-of-bounds Write6 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 52.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dcraw Project Dcraw Debian Linux

Timeline

PublishedApr 18

Latest updateApr 19

Description

There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶Debiandcraw_project/dcraw< 9.28-3+2

▶CVEListV5dcraw_project/dcrawdcraw 9.28-2

▶NVDdcraw_project/dcraw9.28-2

Also affects: Debian Linux 10.0, 11.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-rj98-5wmh-q944: There is an integer overflow vulnerability in dcraw↗2022-04-19

▶

OSV

CVE-2021-3624: There is an integer overflow vulnerability in dcraw↗2022-04-18

▶

CVEList

CVE-2021-3624: There is an integer overflow vulnerability in dcraw↗2022-04-18

▶

📋Vendor Advisories

Red Hat

dcraw: Buffer overflow caused by integer-overflow in foveon_load_camf()↗2021-05-31

▶

Debian

CVE-2021-3624: dcraw - There is an integer overflow vulnerability in dcraw. When the victim runs dcraw ...↗2021

▶