Debian Bug report logs -
#868578
exiv2: CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
:
Bug#868578
; Package exiv2
.
(Sun, 16 Jul 2017 20:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
.
(Sun, 16 Jul 2017 20:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: exiv2
Version: 0.25-3.1
Severity: important
Tags: security
Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11340
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
:
Bug#868578
; Package exiv2
.
(Mon, 17 Jul 2017 11:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Maximiliano Curia <maxy@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
.
(Mon, 17 Jul 2017 11:39:04 GMT) (full text, mbox, link).
Message #10 received at 868578@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: notfound -1 0.25-3.1
Control: found -1 0.26-1
¡Hola Moritz!
El 2017-07-16 a las 22:49 +0200, Moritz Muehlenhoff escribió:
> Package: exiv2
> Version: 0.25-3.1
> Severity: important
> Tags: security
>
> Please see:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
This one seems to be libtiff specific, if this is reproducible with exiv2,
please let me know how to reproduce it.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11338
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11339
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11340
I couldn't reproduce these with 0.25-3.1, but these issues are clearly there
for 0.26-1. Thanks for the heads up, I guess we would either skip 0.26 for
unstable or, at least, wait till these issues are patched.
Happy hacking,
--
"Politicians and diapers have one thing in common. They should both be changed
regularly, and for the same reason." ― José Maria de Eça de Queiroz
Saludos /\/\ /\ >< `/
[signature.asc (application/pgp-signature, inline)]
No longer marked as found in versions exiv2/0.25-3.1.
Request was from Maximiliano Curia <maxy@debian.org>
to 868578-submit@bugs.debian.org
.
(Mon, 17 Jul 2017 11:39:04 GMT) (full text, mbox, link).
Marked as found in versions exiv2/0.26-1.
Request was from Maximiliano Curia <maxy@debian.org>
to 868578-submit@bugs.debian.org
.
(Mon, 17 Jul 2017 11:39:05 GMT) (full text, mbox, link).
Changed Bug title to 'exiv2: CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340' from 'CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 17 Jul 2017 12:12:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
:
Bug#868578
; Package exiv2
.
(Mon, 17 Jul 2017 12:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
.
(Mon, 17 Jul 2017 12:15:03 GMT) (full text, mbox, link).
Message #21 received at 868578@bugs.debian.org (full text, mbox, reply):
Hi
On Mon, Jul 17, 2017 at 01:36:41PM +0200, Maximiliano Curia wrote:
> Control: notfound -1 0.25-3.1
> Control: found -1 0.26-1
>
> ??Hola Moritz!
>
> El 2017-07-16 a las 22:49 +0200, Moritz Muehlenhoff escribi??:
> > Package: exiv2 Version: 0.25-3.1 Severity: important Tags: security
> >
> > Please see:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
>
> This one seems to be libtiff specific, if this is reproducible with exiv2,
> please let me know how to reproduce it.
I think that one was a copy-paste glitch, it is for src:tiff, cf.
https://security-tracker.debian.org/tracker/CVE-2017-11335
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11338
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11339
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11340
>
> I couldn't reproduce these with 0.25-3.1, but these issues are clearly there
> for 0.26-1. Thanks for the heads up, I guess we would either skip 0.26 for
> unstable or, at least, wait till these issues are patched.
Hmm, not beeing able to reproduce does not necessarly mean the issue
is not present. Is there source-wise evidence that they do not affect
versions prior to 0.26? AFAICT at least the Image::printIFDStructure*
functions are not present in older versions as exiv2 in unstable.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
:
Bug#868578
; Package exiv2
.
(Sat, 30 Dec 2017 10:54:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon Frei <freisim93@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
.
(Sat, 30 Dec 2017 10:54:03 GMT) (full text, mbox, link).
Message #26 received at 868578@bugs.debian.org (full text, mbox, reply):
Fixed and backported to 0.26 upstream:
https://github.com/Exiv2/exiv2/issues/49
https://github.com/Exiv2/exiv2/issues/50
https://github.com/Exiv2/exiv2/issues/51
https://github.com/Exiv2/exiv2/issues/52
https://github.com/Exiv2/exiv2/issues/53
Added tag(s) fixed-upstream.
Request was from Simon Frei <freisim93@gmail.com>
to control@bugs.debian.org
.
(Sat, 30 Dec 2017 10:54:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:27:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.