ELA-1424-1 libraw security update

multiple out-of-bounds vulnerabilities

2025-05-18
Packagelibraw
Version0.17.2-6+deb9u6 (stretch), 0.19.2-2+deb10u5 (buster)
Related CVEs CVE-2025-43961 CVE-2025-43962 CVE-2025-43963 CVE-2025-43964


CVE-2025-43961

Out-of-bounds read in the Fujifilm 0xf00c tag parser. (This issue did not affect 0.17.2-6+deb9u5 and earlier versions.)

CVE-2025-43962

Out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations.

CVE-2025-43963

phase_one_correct() allows out-of-buffer access because split_col and split_row values are not checked in 0x041f tag processing.

CVE-2025-43964

Tag 0x412 processing in phase_one_correct() does not enforce minimum w0 and w1 values.



For Debian 10 buster, these problems have been fixed in version 0.19.2-2+deb10u5.

For Debian 9 stretch, these problems have been fixed in version 0.17.2-6+deb9u6.

We recommend that you upgrade your libraw packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.