Security update for libraw

Announcement ID:	SUSE-SU-2025:01569-1
Release Date:	2025-06-06T13:12:50Z
Rating:	moderate
References:	bsc#1241584 bsc#1241585 bsc#1241642 bsc#1241643
Cross-References:	CVE-2025-43961 CVE-2025-43962 CVE-2025-43963 CVE-2025-43964
CVSS scores:	CVE-2025-43961 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-43961 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-43961 ( NVD ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-43961 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2025-43962 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-43962 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-43962 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2025-43962 ( NVD ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-43963 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-43963 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2025-43963 ( NVD ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-43964 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-43964 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-43964 ( NVD ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-43964 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP7

An update that solves four vulnerabilities can now be installed.

Description:

This update for libraw fixes the following issues:

• CVE-2025-43961: Fixed out-of-bounds read in the Fujifilm 0xf00c tag parser in metadata/tiff.cpp (bsc#1241643)
• CVE-2025-43962: Fixed out-of-bounds read when tag 0x412 processing in phase_one_correct function (bsc#1241585)
• CVE-2025-43963: Fixed out-of-buffer access during phase_one_correct in decoders/load_mfbacks.cpp (bsc#1241642)
• CVE-2025-43964: Fixed tag 0x412 processing in phase_one_correct does not enforce minimum w0 and w1 values (bsc#1241584)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 15 SP7
  zypper in -t patch SUSE-SLE-Product-WE-15-SP7-2025-1569=1

Package List:

• SUSE Linux Enterprise Workstation Extension 15 SP7 (x86_64)
  • libraw16-debuginfo-0.18.9-150000.3.30.1
  • libraw-debugsource-0.18.9-150000.3.30.1
  • libraw-debuginfo-0.18.9-150000.3.30.1
  • libraw16-0.18.9-150000.3.30.1

References:

• https://www.suse.com/security/cve/CVE-2025-43961.html
• https://www.suse.com/security/cve/CVE-2025-43962.html
• https://www.suse.com/security/cve/CVE-2025-43963.html
• https://www.suse.com/security/cve/CVE-2025-43964.html
• https://bugzilla.suse.com/show_bug.cgi?id=1241584
• https://bugzilla.suse.com/show_bug.cgi?id=1241585
• https://bugzilla.suse.com/show_bug.cgi?id=1241642
• https://bugzilla.suse.com/show_bug.cgi?id=1241643