Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

exiv2: CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340

Related Vulnerabilities: CVE-2017-11336   CVE-2017-11337   CVE-2017-11338   CVE-2017-11339   CVE-2017-11340   CVE-2017-11335  

Source

Debian Bug report logs - #868578
exiv2: CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340

version graph

Package: exiv2; Maintainer for exiv2 is Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>; Source for exiv2 is src:exiv2 (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sun, 16 Jul 2017 20:51:02 UTC

Severity: important

Tags: fixed-upstream, security

Found in version exiv2/0.26-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#868578; Package exiv2. (Sun, 16 Jul 2017 20:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>. (Sun, 16 Jul 2017 20:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340
Date: Sun, 16 Jul 2017 22:49:24 +0200
Package: exiv2
Version: 0.25-3.1
Severity: important
Tags: security

Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11340

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#868578; Package exiv2. (Mon, 17 Jul 2017 11:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Maximiliano Curia <maxy@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>. (Mon, 17 Jul 2017 11:39:04 GMT) (full text, mbox, link).

Message #10 received at 868578@bugs.debian.org (full text, mbox, reply):

From: Maximiliano Curia <maxy@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 868578@bugs.debian.org
Subject: Re: [Pkg-kde-extras] Bug#868578: CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340
Date: Mon, 17 Jul 2017 13:36:41 +0200
[Message part 1 (text/plain, inline)]
Control: notfound -1 0.25-3.1
Control: found -1 0.26-1

¡Hola Moritz!

El 2017-07-16 a las 22:49 +0200, Moritz Muehlenhoff escribió:
> Package: exiv2 
> Version: 0.25-3.1 
> Severity: important 
> Tags: security
>
> Please see:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335

This one seems to be libtiff specific, if this is reproducible with exiv2, 
please let me know how to reproduce it.

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11338
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11339
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11340

I couldn't reproduce these with 0.25-3.1, but these issues are clearly there 
for 0.26-1. Thanks for the heads up, I guess we would either skip 0.26 for 
unstable or, at least, wait till these issues are patched.

Happy hacking,
-- 
"Politicians and diapers have one thing in common. They should both be changed
regularly, and for the same reason." ― José Maria de Eça de Queiroz
Saludos /\/\ /\ >< `/


[signature.asc (application/pgp-signature, inline)]

No longer marked as found in versions exiv2/0.25-3.1. Request was from Maximiliano Curia <maxy@debian.org> to 868578-submit@bugs.debian.org. (Mon, 17 Jul 2017 11:39:04 GMT) (full text, mbox, link).

Marked as found in versions exiv2/0.26-1. Request was from Maximiliano Curia <maxy@debian.org> to 868578-submit@bugs.debian.org. (Mon, 17 Jul 2017 11:39:05 GMT) (full text, mbox, link).

Changed Bug title to 'exiv2: CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340' from 'CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 17 Jul 2017 12:12:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#868578; Package exiv2. (Mon, 17 Jul 2017 12:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>. (Mon, 17 Jul 2017 12:15:03 GMT) (full text, mbox, link).

Message #21 received at 868578@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Maximiliano Curia <maxy@debian.org>, 868578@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#868578: [Pkg-kde-extras] Bug#868578: CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340
Date: Mon, 17 Jul 2017 14:12:10 +0200
Hi

On Mon, Jul 17, 2017 at 01:36:41PM +0200, Maximiliano Curia wrote:
> Control: notfound -1 0.25-3.1
> Control: found -1 0.26-1
> 
> ??Hola Moritz!
> 
> El 2017-07-16 a las 22:49 +0200, Moritz Muehlenhoff escribi??:
> > Package: exiv2 Version: 0.25-3.1 Severity: important Tags: security
> > 
> > Please see:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
> 
> This one seems to be libtiff specific, if this is reproducible with exiv2,
> please let me know how to reproduce it.

I think that one was a copy-paste glitch, it is for src:tiff, cf.
https://security-tracker.debian.org/tracker/CVE-2017-11335

> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11338
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11339
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11340
> 
> I couldn't reproduce these with 0.25-3.1, but these issues are clearly there
> for 0.26-1. Thanks for the heads up, I guess we would either skip 0.26 for
> unstable or, at least, wait till these issues are patched.

Hmm, not beeing able to reproduce does not necessarly mean the issue
is not present. Is there source-wise evidence that they do not affect
versions prior to 0.26? AFAICT at least the Image::printIFDStructure*
functions are not present in older versions as exiv2 in unstable.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#868578; Package exiv2. (Sat, 30 Dec 2017 10:54:02 GMT) (full text, mbox, link).

Acknowledgement sent to Simon Frei <freisim93@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>. (Sat, 30 Dec 2017 10:54:03 GMT) (full text, mbox, link).

Message #26 received at 868578@bugs.debian.org (full text, mbox, reply):

From: Simon Frei <freisim93@gmail.com>
To: 868578@bugs.debian.org
Subject: Re: CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340
Date: Sat, 30 Dec 2017 11:51:08 +0100
Fixed and backported to 0.26 upstream:
https://github.com/Exiv2/exiv2/issues/49
https://github.com/Exiv2/exiv2/issues/50
https://github.com/Exiv2/exiv2/issues/51
https://github.com/Exiv2/exiv2/issues/52
https://github.com/Exiv2/exiv2/issues/53

Added tag(s) fixed-upstream. Request was from Simon Frei <freisim93@gmail.com> to control@bugs.debian.org. (Sat, 30 Dec 2017 10:54:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:27:00 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started