Debian Bug report logs -
#456760
exiv2: CVE-2007-6353 integer overflow in EXIF parsing
Reported by: Nico Golde <nion@debian.org>
Date: Mon, 17 Dec 2007 17:48:01 UTC
Severity: grave
Tags: patch, security
Fixed in version exiv2/0.15-2
Done: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#456760; Package exiv2.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: exiv2
Severity: grave
Tags: patch security
Hi,
an integer overflow was reporting in exiv2's EXIF parsing
code which results in a heap-based buffer overflow.
This is CVE-2007-6353 please include the CVE id in your
changelog if you fix the bug.
Because our stable security team is not able to share
information and work together with the testing security team
I can unfortunately just forward you to the bug trackers of
other distributions.
Please see:
https://bugzilla.redhat.com/show_bug.cgi?id=425921
https://bugs.gentoo.org/show_bug.cgi?id=202351
They also include a patch for the issue.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 456760-close@bugs.debian.org (full text, mbox, reply):
Source: exiv2
Source-Version: 0.15-2
We believe that the bug you reported is fixed in the latest version of
exiv2, which is due to be installed in the Debian FTP archive:
exiv2_0.15-2.diff.gz
to pool/main/e/exiv2/exiv2_0.15-2.diff.gz
exiv2_0.15-2.dsc
to pool/main/e/exiv2/exiv2_0.15-2.dsc
exiv2_0.15-2_amd64.deb
to pool/main/e/exiv2/exiv2_0.15-2_amd64.deb
libexiv2-0_0.15-2_amd64.deb
to pool/main/e/exiv2/libexiv2-0_0.15-2_amd64.deb
libexiv2-dev_0.15-2_amd64.deb
to pool/main/e/exiv2/libexiv2-dev_0.15-2_amd64.deb
libexiv2-doc_0.15-2_all.deb
to pool/main/e/exiv2/libexiv2-doc_0.15-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 456760@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org> (supplier of updated exiv2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 17 Dec 2007 19:13:11 +0100
Source: exiv2
Binary: libexiv2-0 exiv2 libexiv2-doc libexiv2-dev
Architecture: source all amd64
Version: 0.15-2
Distribution: unstable
Urgency: high
Maintainer: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Changed-By: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Description:
exiv2 - EXIF/IPTC metadata manipulation tool
libexiv2-0 - EXIF/IPTC metadata manipulation library
libexiv2-dev - EXIF/IPTC metadata manipulation library - development files
libexiv2-doc - EXIF/IPTC metadata manipulation library - HTML documentation
Closes: 456760
Changes:
exiv2 (0.15-2) unstable; urgency=high
.
[Ana Beatriz Guerrero Lopez]
* Team upload to fix security bug.
* Add patch to fix integer overflow in EXIF parsing.
CVE-2007-6353 (Closes: #456760)
Files:
5b8d46454017cfada87be91309ccb1c6 845 graphics optional exiv2_0.15-2.dsc
2247958520ab69227fcb730292340165 8209 graphics optional exiv2_0.15-2.diff.gz
7a3b5b1851268f51b8f6bd6b2b336cc5 2235442 doc optional libexiv2-doc_0.15-2_all.deb
7e9ca57ec062efa3ee131bb17390f310 89940 graphics optional exiv2_0.15-2_amd64.deb
733fb934d8473024fb75984c7f0b6d76 355054 libs optional libexiv2-0_0.15-2_amd64.deb
212f45ff8502a8396105f201a843aa24 764330 libdevel optional libexiv2-dev_0.15-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero
iD8DBQFHZsGpn3j4POjENGERAmnDAJ9i9aBAFaR2fAuFlyoSJzot2s9VDQCfbow/
moafcHpPl8On9j16j/koTC8=
=86/e
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Feb 2008 07:33:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:16:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon