Debian Bug report logs -
#486328
CVE-2008-2696: DoS via metadata in images
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
:
Bug#486328
; Package exiv2
.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: exiv2
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for exiv2.
CVE-2008-2696[0]:
Exiv2 0.16 allows user-assisted remote attackers to cause a denial of
service (divide-by-zero and application crash) via a zero value in Nikon
lens information in the metadata of an image, related to "pretty
printing" and the RationalValue::toLong function.
See upstream patch at:
http://dev.robotbattle.com/cgi-bin/viewvc.cgi/exiv2/trunk/src/nikonmn.cpp?r1=1473&r2=1499
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2696
http://security-tracker.debian.net/tracker/CVE-2008-2696
Severity set to `important' from `grave'
Request was from Steffen Joeris <steffen.joeris@skolelinux.de>
to control@bugs.debian.org
.
(Sun, 15 Jun 2008 11:48:06 GMT) (full text, mbox, link).
Bug marked as found in version 0.16-1.
Request was from Mark Purcell <msp@debian.org>
to control@bugs.debian.org
.
(Mon, 16 Jun 2008 12:09:09 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.17-1.
Request was from Mark Purcell <msp@debian.org>
to control@bugs.debian.org
.
(Mon, 16 Jun 2008 12:09:10 GMT) (full text, mbox, link).
Message sent on to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug#486328.
(full text, mbox, link).
Message #16 received at 486328-submitter@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
found 486328 0.16-1
fixed 486328 0.17-1
forwarded 486328 http://dev.robotbattle.com/bugs/view.php?id=0000546
thanks
On Sun, 15 Jun 2008, Steffen Joeris wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for exiv2.
Thanks Steffen,
I have already uploaded the fixed upstream to experimental, and awaiting
clearance from debian-release to upload to unstable, which will fix this
issue for lenny and sid. I do not propose to upload a fixed package to
testing-updates.
http://lists.debian.org/debian-release/2008/06/msg00231.html
Mark
[signature.asc (application/pgp-signature, inline)]
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Extra info received and filed, but not forwarded.
(full text, mbox, link).
Message #21 received at 486328-quiet@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, 16 Jun 2008 02:06:40 pm Mark Purcell wrote:
> found 486328 0.16-1
> fixed 486328 0.17-1
> forwarded 486328 http://dev.robotbattle.com/bugs/view.php?id=0000546
> thanks
>
> On Sun, 15 Jun 2008, Steffen Joeris wrote:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for exiv2.
>
> Thanks Steffen,
>
> I have already uploaded the fixed upstream to experimental, and awaiting
> clearance from debian-release to upload to unstable, which will fix this
> issue for lenny and sid. I do not propose to upload a fixed package to
> testing-updates.
>
> http://lists.debian.org/debian-release/2008/06/msg00231.html
In this case, testing-security (which gets copied to testing-proposed
automagically) would be the right way, but the issue is not severe enough, so
I agree with your opinion.
Thanks for your work.
Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
:
Bug#486328
; Package exiv2
.
(full text, mbox, link).
Acknowledgement sent to Mark Purcell <msp@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #26 received at 486328@bugs.debian.org (full text, mbox, reply):
# Automatically generated email from bts, devscripts version 2.10.29
#
# exiv2 (0.17-2) UNRELEASED; urgency=medium
#
# * Version 0.17 also fixes:
# - CVE-2008-2696: DoS via metadata in images (Closes: #486328)
# - crashes when fed with wrong file (Closes: #485670)
#
package libexiv2-doc libexiv2-dev libexiv2-4 exiv2
tags 486328 + pending
Tags added: pending
Request was from Mark Purcell <msp@debian.org>
to control@bugs.debian.org
.
(Mon, 16 Jun 2008 12:27:04 GMT) (full text, mbox, link).
Reply sent to Mark Purcell <msp@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #33 received at 486328-close@bugs.debian.org (full text, mbox, reply):
Source: exiv2
Source-Version: 0.17.1-1
We believe that the bug you reported is fixed in the latest version of
exiv2, which is due to be installed in the Debian FTP archive:
exiv2_0.17.1-1.diff.gz
to pool/main/e/exiv2/exiv2_0.17.1-1.diff.gz
exiv2_0.17.1-1.dsc
to pool/main/e/exiv2/exiv2_0.17.1-1.dsc
exiv2_0.17.1-1_powerpc.deb
to pool/main/e/exiv2/exiv2_0.17.1-1_powerpc.deb
exiv2_0.17.1.orig.tar.gz
to pool/main/e/exiv2/exiv2_0.17.1.orig.tar.gz
libexiv2-4_0.17.1-1_powerpc.deb
to pool/main/e/exiv2/libexiv2-4_0.17.1-1_powerpc.deb
libexiv2-dev_0.17.1-1_powerpc.deb
to pool/main/e/exiv2/libexiv2-dev_0.17.1-1_powerpc.deb
libexiv2-doc_0.17.1-1_all.deb
to pool/main/e/exiv2/libexiv2-doc_0.17.1-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 486328@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated exiv2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 21 Jun 2008 08:23:53 +1000
Source: exiv2
Binary: exiv2 libexiv2-4 libexiv2-dev libexiv2-doc
Architecture: source all powerpc
Version: 0.17.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description:
exiv2 - EXIF/IPTC metadata manipulation tool
libexiv2-4 - EXIF/IPTC metadata manipulation library
libexiv2-dev - EXIF/IPTC metadata manipulation library - development files
libexiv2-doc - EXIF/IPTC metadata manipulation library - HTML documentation
Closes: 485670 486328
Changes:
exiv2 (0.17.1-1) unstable; urgency=medium
.
* New upstream release
- Library transition cleared on debian-release/ d-d-a
* Version 0.17 also fixes:
- CVE-2008-2696: DoS via metadata in images (Closes: #486328)
- crashes when fed with wrong file (Closes: #485670)
* Urgency medium for CVE fix
* debian/patches/gcc4.3.diff unecessary for gcc-4.3
* Add /usr/share/bug/exiv2/presubj message for reportbug(1)
Checksums-Sha1:
0a9165530debd9308d3b440a6b82a75a099f853c 1368 exiv2_0.17.1-1.dsc
7872fde6181dd0958c8d855bea35b95094ac06c7 1807220 exiv2_0.17.1.orig.tar.gz
a318dd7ed4024bf7afd7a3887b87a81e227986e0 8948 exiv2_0.17.1-1.diff.gz
b214961db8bfa123b5c2826fc3743dd764a4e3a2 3606268 libexiv2-doc_0.17.1-1_all.deb
a1bf9b20014535132dfd18a290826dc421798fb8 96298 exiv2_0.17.1-1_powerpc.deb
f80c6d7cd3aa04078a833ce4b9c01b29509489a4 658406 libexiv2-4_0.17.1-1_powerpc.deb
fdb2a5775b8c76a0c8c37a9972677ff7e168c066 1373722 libexiv2-dev_0.17.1-1_powerpc.deb
Checksums-Sha256:
674319b1fd2f7b0cf1e55617483f4e24ceb375f6c6bddbb1f94b82e440a9f935 1368 exiv2_0.17.1-1.dsc
6b5516159a1068e6253c787e391288e1b170bc702553c7121c4b693b293704cb 1807220 exiv2_0.17.1.orig.tar.gz
5d05da45a36cbd2f9c898a010164b8c3cc4622d73211e6b7c8d7e22da2dda1c2 8948 exiv2_0.17.1-1.diff.gz
a154fd4f5764723341c9fcb8d2808e54125e5ed3503bf2ebe26c83d58e5f0240 3606268 libexiv2-doc_0.17.1-1_all.deb
b9fa85f8fa236021721a7a08a88d5ce035393e4fe5e6e75f2cae976beb09a7af 96298 exiv2_0.17.1-1_powerpc.deb
1105edf1c4a6567c0651938a444bbad4c7712efc892e7d621b85c2f0b3218728 658406 libexiv2-4_0.17.1-1_powerpc.deb
122c6d6245f8c860d851b72b312f707ef049f03bae4690e51b4d65ecb6789253 1373722 libexiv2-dev_0.17.1-1_powerpc.deb
Files:
6f59a29ae32dc1d90a393b2fcd2be82d 1368 graphics optional exiv2_0.17.1-1.dsc
52a602f4f0d9e89b7084ac795b7547ac 1807220 graphics optional exiv2_0.17.1.orig.tar.gz
4f8298dac3e9c3b4657f412597f7993e 8948 graphics optional exiv2_0.17.1-1.diff.gz
6111945daf9b0e40ef562b5c623b667f 3606268 doc optional libexiv2-doc_0.17.1-1_all.deb
d352fdc790fb8c860875b96a268c01a5 96298 graphics optional exiv2_0.17.1-1_powerpc.deb
001d9638486baff7cd2511eb450fb24a 658406 libs optional libexiv2-4_0.17.1-1_powerpc.deb
6eafbb9a92fdc936f1a3be1ffb848841 1373722 libdevel optional libexiv2-dev_0.17.1-1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhci4gACgkQoCzanz0IthKsCgCgm0uW/yMpqV6E00LQ1xQ17+1a
pLUAni9dgd68LglRRJasyQepNcJ484pH
=eXWa
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 29 Jul 2008 07:30:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:29:00 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.