Fluid Attacks Database

Description

A heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak private information.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 14	dcraw	=9.28-8
debian 13	dcraw	=9.28-8
debian 12	dcraw	=9.28-3 \|\| =9.28-3.1 \|\| =9.28-4 \|\| =9.28-5 \|\| =9.28-5.1 \|\| =9.28-6 \|\| =9.28-7 \|\| =9.28-8
debian 11	dcraw	=9.28-2 \|\| =9.28-3 \|\| =9.28-3.1 \|\| =9.28-4 \|\| =9.28-5 \|\| =9.28-5.1 \|\| =9.28-6 \|\| =9.28-7 \|\| =9.28-8
rpm rhel8	dcraw	-
rpm rhel7	dcraw	-
rpm rhel6	dcraw	-
rpm rhel5	dcraw	-

Aliases

1. CVE-2018-195662. NVD-2018-195663. OSV-DEBIAN-2018-195664. OSV-2018-195665. SECURITY-TRACKER-CVE-2018-19566

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.