Debian Bug report logs -
#773846
exiv2: CVE-2014-9449: buffer overflow in RiffVideo::infoTagsHandler
Reported by: Klaus Ethgen <Klaus@Ethgen.de>
Date: Tue, 23 Dec 2014 23:21:06 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions exiv2/0.24-1, exiv2/0.24-4
Fixed in version exiv2/0.24-4.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to http://dev.exiv2.org/issues/960
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#773846; Package exiv2.
(Tue, 23 Dec 2014 23:21:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Klaus Ethgen <Klaus@Ethgen.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(Tue, 23 Dec 2014 23:21:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: exiv2
Version: 0.24-4.1
Severity: grave
Tags: security patch
There is a buffer overflow condition with some AVI files. I am not fully
sure but maybe it could be used for a code execution.
However, the bug is fixed upstream. See also report [0].
I extracted and tested the patch from upstream and added it to this
report.
This bug affects also many other packages that uses libexiv2. Namely
geeqie and digikam.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (800, 'unstable'), (110, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.17.5 (SMP w/8 CPU cores)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to de_DE)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages exiv2 depends on:
ii libc6 2.19-13
ii libexiv2-13 0.24-4.1
ii libgcc1 1:4.9.2-9
ii libstdc++6 4.9.2-9
exiv2 recommends no packages.
exiv2 suggests no packages.
-- no debconf information
[0] http://dev.exiv2.org/issues/1002
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
[0001-960-Added-a-Buffer-Overflow-Fix-in-INFO-tags-of-RIFF.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added indication that 773846 affects geeqie
Request was from Klaus Ethgen <Klaus@Ethgen.de>
to control@bugs.debian.org.
(Tue, 23 Dec 2014 23:27:04 GMT) (full text, mbox, link).
Added indication that 773846 affects digikam
Request was from Klaus Ethgen <Klaus@Ethgen.de>
to control@bugs.debian.org.
(Tue, 23 Dec 2014 23:27:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#773846; Package exiv2.
(Tue, 23 Dec 2014 23:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Klaus Ethgen <Klaus@Ethgen.de>:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(Tue, 23 Dec 2014 23:42:04 GMT) (full text, mbox, link).
Message #14 received at 773846@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please note that the version used in report is my local build package.
The report should obvioous be filed for version 0.24-4.
Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJUmf0/AAoJEKZ8CrGAGfasR3gMAJeAjfxUYkPXI7VFmnguzTo9
FigWaa7V7xWZahLpHpfjui4jRWFThMKWTpU/fo59XQIw3x7VLHhLg6HWUcjwgRzg
TpBocXbb4bhD9xBlPBmr1FGAR/7F4WoExva7AtSMrbRqh41iqjTrrv2gFnLudvsd
ZoiA/ocMNMBDI4AFzuaUdCpXl7rrEHB9x6IFNogoRNnDedLY980qts9BCALjmyKM
oMtyk0OG+78bFpK4OpEEXk3wHvZHWZADJcYdxa2bIFIdv9n+v40GE8gXc5Q0Dfpn
01GOCVlGUW3jkVvWlWuNtDjFkGDmXGbjfn7dGue3Mco2c8iyT/OWR82/5ZfZBApL
3libnhKyBOjeIErGnnsiIQ4je68MbRCD8+rdtNlpqNy7S12cdQWQUlacAro8H10C
tlOciLIjAG/WUwX9gI+9m/asx22BHPsC5RtzLvGArciy1Kzu6CiufgadcoCPFuVK
xA64hcpLvxH1uRu/G0NlTtcUrykAipRcL/JeB7JPCA==
=jdBh
-----END PGP SIGNATURE-----
Marked as found in versions exiv2/0.24-4.
Request was from Klaus Ethgen <Klaus@Ethgen.de>
to control@bugs.debian.org.
(Tue, 23 Dec 2014 23:42:08 GMT) (full text, mbox, link).
No longer marked as found in versions 0.24-4.1.
Request was from Klaus Ethgen <Klaus@Ethgen.de>
to control@bugs.debian.org.
(Tue, 23 Dec 2014 23:45:04 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 24 Dec 2014 06:18:04 GMT) (full text, mbox, link).
Changed Bug title to 'exiv2: CVE-2014-9449: buffer overflow in RiffVideo::infoTagsHandler' from 'Buffer overflow in INFO tags of riff (patch from upstream)'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 07 Jan 2015 19:15:16 GMT) (full text, mbox, link).
Marked as found in versions exiv2/0.24-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 07 Jan 2015 19:18:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#773846; Package exiv2.
(Wed, 07 Jan 2015 19:51:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(Wed, 07 Jan 2015 19:51:17 GMT) (full text, mbox, link).
Message #33 received at 773846@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 773846 + pending
Dear maintainer,
I've prepared an NMU for exiv2 (versioned as 0.24-4.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[exiv2-0.24-4.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 773846-submit@bugs.debian.org.
(Wed, 07 Jan 2015 19:51:17 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 09 Jan 2015 21:21:22 GMT) (full text, mbox, link).
Notification sent
to Klaus Ethgen <Klaus@Ethgen.de>:
Bug acknowledged by developer.
(Fri, 09 Jan 2015 21:21:22 GMT) (full text, mbox, link).
Message #40 received at 773846-close@bugs.debian.org (full text, mbox, reply):
Source: exiv2
Source-Version: 0.24-4.1
We believe that the bug you reported is fixed in the latest version of
exiv2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 773846@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated exiv2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 07 Jan 2015 20:25:48 +0100
Source: exiv2
Binary: exiv2 libexiv2-13 libexiv2-dev libexiv2-doc libexiv2-dbg
Architecture: source amd64 all
Version: 0.24-4.1
Distribution: unstable
Urgency: medium
Maintainer: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
exiv2 - EXIF/IPTC metadata manipulation tool
libexiv2-13 - EXIF/IPTC metadata manipulation library
libexiv2-dbg - EXIF/IPTC metadata manipulation library - debug
libexiv2-dev - EXIF/IPTC metadata manipulation library - development files
libexiv2-doc - EXIF/IPTC metadata manipulation library - HTML documentation
Closes: 773846
Changes:
exiv2 (0.24-4.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Add CVE-2014-9449.patch patch.
CVE-2014-9449: buffer overflow in RiffVideo::infoTagsHandler
Thanks to Klaus Ethgen <Klaus@Ethgen.de> (Closes: #773846)
Checksums-Sha1:
bd8d27882805e5ccaf4cbfba6c1a89356cd60388 2253 exiv2_0.24-4.1.dsc
77091a1bb6c8f306d3826e6edf58541fb1f17161 10176 exiv2_0.24-4.1.debian.tar.xz
1eed716080c6b6e992d6ec1b5a6c7195b167e8bf 19295406 libexiv2-doc_0.24-4.1_all.deb
Checksums-Sha256:
7fd25a1325cba6dffc7da4a395fd76e2ee49918550c3f57e2d5cfa1dac3811d3 2253 exiv2_0.24-4.1.dsc
5171c12d884d63684b700d7d5ab5bb209829435a8a0f0a9343209dcfe1b12e5b 10176 exiv2_0.24-4.1.debian.tar.xz
fce17aa5fdc8ceb82b09a2ecfcc6d4eef1cb519beffddf0a554dca4d5de4ab0a 19295406 libexiv2-doc_0.24-4.1_all.deb
Files:
a3a63d6506d0dcc4e31e4a273925e98e 2253 graphics optional exiv2_0.24-4.1.dsc
7536a1f545a0233225eba3d826a71758 10176 graphics optional exiv2_0.24-4.1.debian.tar.xz
fbbe0cae5b81b305d486df9da49e30a8 19295406 doc optional libexiv2-doc_0.24-4.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUrYxnAAoJEAVMuPMTQ89EZkEP/R3jsLkPwribPNZHgKZ2HJ2Q
U6FaqG4U9dIw/QQhlwY3lYczI7tLD2AoaSsqu0zD1wZqVTGPp+eg2nJzl7hqGKgZ
ixAuwum0mM5t1m15mW5gHUr1yCPU43erIlXTtN9sPLh/GIywln4acB0gPCWWX61f
v+cxPX3LRDOTFMUOhNzmcsKabcknrUQcCREkviFj69Ya4y7Yrou1nc9rWRfE+QQs
dAHN8VodX3F3P3MIIA+pNTwYuNE9JJDzzxsyiR5xWaOnhgxAXfpHM/+4qdSqAJel
HffdQTT4KJLnr1y4au7f3z1UCRjYJutrYCuo8JkvzE54qIoph8wrkBFmuNbPilQD
MozJV+4gpnsXjitZnCp+D3CDa1xVOzQkn8m2UHF4eJKfmxGGGqJyRZz4fMhoSMch
5pBAXHWDdTJ/oiMhFAmGMgsiIZ17kVGeFsX4xvQf3d2uTYJkLjbqEdOKKuEy063g
Q12gHpmZM3LHMOlWRl2yZd3GVgg1vBRpzbS9F3MumBgzbKPqcyi2ihW1jRungokD
m9okGPoin25f99bgfSqinhhaOGNtkG3Ms7Wd9IYkv8R6zgs/sXlkb1nanftTFWtd
oinzDx4BzMku86HWF6qCuCXYPYh4iimEYccppia4oulS3yRufUlVlSJff4UwGUcr
JMtFEj9m/t822SroYijh
=wOka
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 13 Feb 2015 07:25:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:57:03 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon