Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

exif: CVE-2021-27815: NULL pointer dereference with strncpy() in exif/actions.c

Related Vulnerabilities: CVE-2021-27815  

Source

Debian Bug report logs - #1018814
exif: CVE-2021-27815: NULL pointer dereference with strncpy() in exif/actions.c

version graph

Package: exif; Maintainer for exif is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>; Source for exif is src:exif (PTS, buildd, popcon).

Reported by: Aron Xu <aron@debian.org>

Date: Wed, 31 Aug 2022 07:51:02 UTC

Severity: normal

Tags: security

Found in version exif/0.6.22-2

Fixed in version exif/0.6.22-3

Done: Hugh McMaster <hugh.mcmaster@outlook.com>

Forwarded to https://github.com/libexif/exif/issues/4

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#1018814; Package exif. (Wed, 31 Aug 2022 07:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Aron Xu <aron@debian.org>:
New Bug report received and forwarded. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Wed, 31 Aug 2022 07:51:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Aron Xu <aron@debian.org>
To: submit@bugs.debian.org
Subject: exif: update for null ptr fixes
Date: Wed, 31 Aug 2022 15:46:32 +0800
[Message part 1 (text/plain, inline)]
Package: exif
Severity: wishlist

I have prepared an update for exif package to address two null pointer issues,
changes have been submitted as an MR on salsa, also see the debdiff in
attachement.

Regards,
Aron Xu

[exif_0.6.22-3.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Hugh McMaster <hugh.mcmaster@outlook.com> to control@bugs.debian.org. (Fri, 02 Sep 2022 00:45:02 GMT) (full text, mbox, link).

Reply sent to Hugh McMaster <hugh.mcmaster@outlook.com>:
You have taken responsibility. (Tue, 06 Sep 2022 01:39:03 GMT) (full text, mbox, link).

Notification sent to Aron Xu <aron@debian.org>:
Bug acknowledged by developer. (Tue, 06 Sep 2022 01:39:03 GMT) (full text, mbox, link).

Message #12 received at 1018814-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1018814-close@bugs.debian.org
Subject: Bug#1018814: fixed in exif 0.6.22-3
Date: Tue, 06 Sep 2022 01:34:28 +0000
Source: exif
Source-Version: 0.6.22-3
Done: Hugh McMaster <hugh.mcmaster@outlook.com>

We believe that the bug you reported is fixed in the latest version of
exif, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1018814@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugh McMaster <hugh.mcmaster@outlook.com> (supplier of updated exif package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 05 Sep 2022 14:01:03 +1000
Source: exif
Architecture: source
Version: 0.6.22-3
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Hugh McMaster <hugh.mcmaster@outlook.com>
Closes: 1018814
Changes:
 exif (0.6.22-3) unstable; urgency=medium
 .
   * debian/control: Raise Standards-Version to 4.6.1 (no changes needed).
   * debian/copyright: Update for 2022.
   * debian/gbp.conf: Use DEP-14 branch naming; require signed tags.
   * debian/patches:
     + Add patch for CVE-2021-27815 (Closes: #1018814).
     + Prevent NULL pointer dereference with strncpy() in exif/actions.c.
       Thanks to Aron Xu for forwarding the upstream patch.
Checksums-Sha1:
 712e5c80e38b7e2d3cf303c2c20ebe3520623673 2006 exif_0.6.22-3.dsc
 cdb0fdb98cc06397ba5d94fb980100cffd8975d8 7672 exif_0.6.22-3.debian.tar.xz
 116a5cb3f6ad24a25a6e1cf47731c51b915460fe 6257 exif_0.6.22-3_amd64.buildinfo
Checksums-Sha256:
 6db3523dbf4bc7fb8fd75119709e5be58ddd9d1f1bbdcefba13526df6f880439 2006 exif_0.6.22-3.dsc
 974c04c40e8c7832fa28b56eacba7a2d10204fb2d11937bbc87e3b4c98037c2e 7672 exif_0.6.22-3.debian.tar.xz
 5165e1620d7108aaa238d89220a639ff2c3b166ce06e0ecb1c3089ba9395c6f9 6257 exif_0.6.22-3_amd64.buildinfo
Files:
 9d9a731e850db367941c0fdae73a565d 2006 graphics optional exif_0.6.22-3.dsc
 968ee6cdebf4012064710a30aac7418e 7672 graphics optional exif_0.6.22-3.debian.tar.xz
 a6a91f2504d5aa8b0aa32d55e5ea3cf7 6257 graphics optional exif_0.6.22-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEOiCBPKV5RoaMUVIRWsYQdMXoG8QFAmMWnVQaHGh4Z2gubWNt
YXN0ZXJAb3V0bG9vay5jb20ACgkQWsYQdMXoG8SIsBAAvYqeqXZawdoxPhzrsu5s
0pV9O9u6GBrxXeAs6vs7iU18lDWf7n5JR+JcB+CkfJbQ03Uq475EX5C3xDG23UhO
2Ko64LaueTZfWD/2g6TTPvRqS4dsxNSnMbFlxryUeeEWKTOo6wr3d4Lq1X7smZiy
FlAO5pQL4kajR/zyTXustzTz2cuOOhQ08HqlaOQdsZ62lGJYQc6GDuUj4QmFAMjR
6iphvBxEwHE5NzbwjcSI3c+VBxfA5lyLiMsw2T8RUCLrGg0KmGHuv+9YmvrpRf8U
tCvBudOczG+2AdbTBb803rAO/g0tfXUbq4o33K228n/6FDrLEupEhAauDbp1oHpb
/66jWCLQ/bY5Qi3Yv8kJZlek48pwZlsh8nH6IfqXWmdzB7kYB4RQ8AUzVBCRV0sA
tfo3JAVZRWkbJK/g9LInq6pWCRRHH8aXmIZFtPDs+O3AEBaiS644ghPzTl2qrRIL
1hcq3FQRCtOkG1QRTKbhWjScWIsios9ke866PJ8R+4nMAwYhTfv3TWMFFnfMKgRv
y39FHzA6tjScebGTRq2LnwUqx6/7kKgNE3eD7LDo2EgkSB4plk/rLJg4WwVpVGtB
6LPbKH8pUu1wV+KzPJfKaALYHc8gfkklPgMaiDB3So5tO8GIrewno//ElYoKnfO1
i9w+CzxX1kyTd9UisPRNeTw=
=XDA+
-----END PGP SIGNATURE-----

Marked as found in versions exif/0.6.22-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 06 Sep 2022 04:27:02 GMT) (full text, mbox, link).

Severity set to 'normal' from 'wishlist' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 06 Sep 2022 04:27:03 GMT) (full text, mbox, link).

Changed Bug title to 'exif: CVE-2021-27815: NULL pointer dereference with strncpy() in exif/actions.c' from 'exif: update for null ptr fixes'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 06 Sep 2022 04:27:03 GMT) (full text, mbox, link).

Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 06 Sep 2022 04:27:04 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/libexif/exif/issues/4'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 06 Sep 2022 04:27:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Sep 6 13:20:00 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started