Debian Bug report logs -
#918730
libexif: CVE-2018-20030: Input validation issue resulting in a denial of service
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 8 Jan 2019 20:39:04 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions libexif/0.6.21-5, libexif/0.6.21-2
Fixed in version libexif/0.6.21-5.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#918730; Package src:libexif.
(Tue, 08 Jan 2019 20:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Tue, 08 Jan 2019 20:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libexif
Version: 0.6.21-5
Severity: important
Tags: security upstream
Control: found -1 0.6.21-2
Hi,
The following vulnerability was published for libexif, for now filling
primarly for tracking, as there is not much details provided as well
if searching the cross references to other distros bugtrackers.
CVE-2018-20030[0]:
Input validation issue resulting in a denial of service
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20030
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20030
[1] https://secuniaresearch.flexerasoftware.com/secunia_research/2018-28/
Regards,
Salvatore
Marked as found in versions libexif/0.6.21-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 08 Jan 2019 20:39:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#918730; Package src:libexif.
(Sun, 10 Feb 2019 13:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sun, 10 Feb 2019 13:27:06 GMT) (full text, mbox, link).
Message #12 received at 918730@bugs.debian.org (full text, mbox, reply):
On Tue, Jan 08, 2019 at 09:36:52PM +0100, Salvatore Bonaccorso wrote:
> Source: libexif
> Version: 0.6.21-5
> Severity: important
> Tags: security upstream
> Control: found -1 0.6.21-2
>
> Hi,
>
> The following vulnerability was published for libexif, for now filling
> primarly for tracking, as there is not much details provided as well
> if searching the cross references to other distros bugtrackers.
>
> CVE-2018-20030[0]:
> Input validation issue resulting in a denial of service
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-20030
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20030
> [1] https://secuniaresearch.flexerasoftware.com/secunia_research/2018-28/
This is fixed in
https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89
Can we go that into buster, please?
Cheers,
Moritz
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 10 Feb 2019 13:45:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#918730; Package src:libexif.
(Sun, 10 Feb 2019 18:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sun, 10 Feb 2019 18:03:03 GMT) (full text, mbox, link).
Message #19 received at 918730@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 918730 + patch
Control: tags 918730 + pending
Dear maintainer,
I've prepared an NMU for libexif (versioned as 0.6.21-5.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.
This should make it possible to still reach buster in time.
Regards,
Salvatore
[libexif-0.6.21-5.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 918730-submit@bugs.debian.org.
(Sun, 10 Feb 2019 18:03:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 918730-submit@bugs.debian.org.
(Sun, 10 Feb 2019 18:03:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#918730; Package src:libexif.
(Mon, 18 Feb 2019 11:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugh McMaster <hugh.mcmaster@outlook.com>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Mon, 18 Feb 2019 11:45:08 GMT) (full text, mbox, link).
Message #28 received at 918730@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
Apologies for the delayed response.
On Mon, 11 Feb 2019 at 05:03, Salvatore Bonaccorso wrote:
> I've prepared an NMU for libexif (versioned as 0.6.21-5.1) and
> uploaded it to DELAYED/10. Please feel free to tell me if I
> should delay it longer.
This looks good to me. Please feel free to upload directly, instead of
waiting two more days.
Thank you for your work.
Hugh
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#918730; Package src:libexif.
(Mon, 18 Feb 2019 14:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Mon, 18 Feb 2019 14:33:06 GMT) (full text, mbox, link).
Message #33 received at 918730@bugs.debian.org (full text, mbox, reply):
Hi Hugh,
On Mon, Feb 18, 2019 at 10:43:58PM +1100, Hugh McMaster wrote:
> Hi Salvatore,
>
> Apologies for the delayed response.
No problem at all!
> On Mon, 11 Feb 2019 at 05:03, Salvatore Bonaccorso wrote:
> > I've prepared an NMU for libexif (versioned as 0.6.21-5.1) and
> > uploaded it to DELAYED/10. Please feel free to tell me if I
> > should delay it longer.
>
> This looks good to me. Please feel free to upload directly, instead of
> waiting two more days.
>
> Thank you for your work.
Thank you, rescheduled then to get it processed earlier!
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 18 Feb 2019 14:57:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 18 Feb 2019 14:57:05 GMT) (full text, mbox, link).
Message #38 received at 918730-close@bugs.debian.org (full text, mbox, reply):
Source: libexif
Source-Version: 0.6.21-5.1
We believe that the bug you reported is fixed in the latest version of
libexif, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 918730@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libexif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Feb 2019 14:59:33 +0100
Source: libexif
Binary: libexif-dev libexif-doc libexif12 libexif12-dbgsym
Architecture: source
Version: 0.6.21-5.1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 918730
Description:
libexif-dev - library to parse EXIF files (development files)
libexif-doc - library to parse EXIF files (documentation)
libexif12 - library to parse EXIF files
Changes:
libexif (0.6.21-5.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Reduce maximum recursion depth in exif_data_load_data_content
* Improve deep recursion detection in exif_data_load_data_content
(CVE-2018-20030) (Closes: #918730)
Checksums-Sha1:
4f657f30b6be242741bc65b1db78cc3ef6c0e4af 2272 libexif_0.6.21-5.1.dsc
c3cdeedecf57c2db9d12cd0f0f8980073ed495a7 13020 libexif_0.6.21-5.1.debian.tar.xz
Checksums-Sha256:
98676c725f48a1602b50499329df85545c997825705980ce5d27ec77effd7310 2272 libexif_0.6.21-5.1.dsc
e026131413e0a951323e8325c9ce175fdb51d7820140c3e79db2a0b25d453c48 13020 libexif_0.6.21-5.1.debian.tar.xz
Files:
39bdd77652a0e93a80e57b5401bf870a 2272 libs optional libexif_0.6.21-5.1.dsc
dde6f69b343d1f04585a6b6ec485b4a1 13020 libs optional libexif_0.6.21-5.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxgRddfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EsL0QAJuoBgJEaeqM2WbH5133gI/bKWqQH9Xv
YO/K9XP8grZEqJHBHqBuCAUPSNCK+5mVD/1TFW9CtJziGUwDXI3k4p/SIMmS3zVa
iKKAjrB1+mm6rjCzw4AV7Dogw068BI8eHkgZJxIz6FiEotq4sQiklrcmuE7PU5jc
DVc4CnWG0++0YdwbJPLxhylUQ3yHP4cttWUIWBq03Hmnw/K1Q64QhJgSmkN6Y/Q6
uZeBNwCioTOQ7lt+7Sg7duNoOvg47IwAxpwR32KDxoB1oCPO4mlov6wy/Oao4Frz
nDr27u8jBZlBZ38521ffVpysvKFEMJOq3BDUDulKvPYD/b4XoxBcHASptXNGBO6k
QwBeA2ln7kr5jQt3ZzDJYxUOpHbNfMxs5PnAUB9hZ/tQGEmhtxNzGCNsKz1EGQaT
Zte+CtPdblWvSJdrWacIluv3X8nx/qj6+Tys0ZKQ30UUUST5ni57VAqrk5OV8Bi8
+pSOFqAYXFyQb97NK/dx5qxcp4SZkSwPKPmnQeIa+7a5Koykbsr+yp7JoIbBCulM
x+q5JCHLWjFfNtBaO/X0Tjp4b0Z8TthOOAJRLlhocCW9Y+tsvgYOmw78jaolwS1t
LMmMpztOQc2zaRQgPGg/QbUdjosH2cAfB+jeECyKQcOSb6n/vYAUFp7HkLFxaC92
JncS8cKAwKQ2
=LU/k
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 29 Mar 2019 07:28:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:38:43 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon