Your message dated Thu, 29 Aug 2013 15:21:22 +0000
with message-id <[email protected]>
and subject line Bug#721236: fixed in exactimage 0.8.9-1
has caused the Debian Bug report #721236,
regarding CVE-2013-1438: exactimage: multiple vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
721236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721236
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libraw
Severity: important
Tags: security
Control: clone -1 -2 -3 -4 -5 -6 -7 -8 -9
Control: retitle -1 CVE-2013-1438: libraw: multiple vulnerabilities
Control: retitle -2 CVE-2013-1438: dcraw: multiple vulnerabilities
Control reassign -2 dcraw
Control: retitle -3 CVE-2013-1438: darktable: multiple vulnerabilities
Control reassign -3 darktable
Control: retitle -4 CVE-2013-1438: ufraw: multiple vulnerabilities
Control reassign -4 ufraw
Control: retitle -5 CVE-2013-1438: xbmc: multiple vulnerabilities
Control reassign -5 src:xbmc
Control: retitle -6 CVE-2013-1438: exactimage: multiple vulnerabilities
Control reassign -6 exactimage
Control: retitle -7 CVE-2013-1438: rawstudio: multiple vulnerabilities
Control reassign -7 rawstudio
Control: retitle -8 CVE-2013-1438: rawtherapee: multiple vulnerabilities
Control reassign -8 rawtherapee
Control: retitle -9 CVE-2013-1438: libkdcraw: multiple vulnerabilities
Control reassign -9 libkdcraw
Hi,
I found a few vulnerabilities in dcraw and are all covered by the
CVE-2013-1438 id:
"Specially crafted photo files may trigger a division by zero, an
infinite loop, or a null pointer dereference."
Alex Tutubalin, libraw upstream, has patched the vulnerabilities in
libraw and the patches should apply as-is to the vast majority of
embedders. For the details
http://www.openwall.com/lists/oss-security/2013/08/29/3
Please include the CVE id when fixing these vulnerabilities and
consider fixing them in old/stable via a {O,}SPU by following standard
procedures for stable release updates.
P.S. yes, the above Control list is annoying, but so is having so many
copies of the same code base in the archive.
Thanks,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
Source: exactimage
Source-Version: 0.8.9-1
We believe that the bug you reported is fixed in the latest version of
exactimage, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sven Eckelmann <[email protected]> (supplier of updated exactimage package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 29 Aug 2013 16:17:32 +0200
Source: exactimage
Binary: exactimage edisplay exactimage-dbg libexactimage-perl php5-exactimage
python-exactimage
Architecture: source amd64
Version: 0.8.9-1
Distribution: unstable
Urgency: high
Maintainer: Sven Eckelmann <[email protected]>
Changed-By: Sven Eckelmann <[email protected]>
Description:
edisplay - fast image manipulation programs (image viewer)
exactimage - fast image manipulation programs
exactimage-dbg - fast image manipulation library (debug symbols)
libexactimage-perl - fast image manipulation library (Perl bindings)
php5-exactimage - fast image manipulation library (PHP bindings)
python-exactimage - fast image manipulation library (Python bindings)
Closes: 721236
Changes:
exactimage (0.8.9-1) unstable; urgency=high
.
* New Upstream Version
* Fix CVE-2013-1438: multiple denial of service vulnerabilities
(Closes: #721236)
* debian/rules:
- Enable section garbage collection to reduce size caused by partial linked
static library
- Provide override_dh_auto_clean/test to avoid problems with stricter
debhelper clean/test behavior since 9.20130720
* debian/patches:
- Add gcc_48_dcraw_infinite_loop.patch, Avoid infinite loops generated by
GCC 4.8 caused by undefined behaviour
- Remove upstream merged tga_memcpy_signature.patch and
spelling_error.patch
- Add CVE-2013-1438, Fix CVE-2013-1438
Checksums-Sha1:
dc4892c08822e368f550423e675146f881526c1b 2473 exactimage_0.8.9-1.dsc
d5cb671386d4ca8203f68f6caf01199b05467032 334305 exactimage_0.8.9.orig.tar.gz
9a17f280a7d60570c28cc20ba73bf534de76a68c 33058 exactimage_0.8.9-1.debian.tar.gz
5b2e8877d23ba332b8fa44212e189d3431a8607f 809386 exactimage_0.8.9-1_amd64.deb
82bad364911325a04116851ffe35b3b21ed7bd19 348144 edisplay_0.8.9-1_amd64.deb
ee421f8396e4be480b35da892de7bdf50eca6bba 22415142
exactimage-dbg_0.8.9-1_amd64.deb
f16457cc157239b472b90ae8d1fb5c8f08a4938f 612288
libexactimage-perl_0.8.9-1_amd64.deb
8c8682d45b5c59401081c36d8214fbe4fcdaf466 600982
php5-exactimage_0.8.9-1_amd64.deb
634ca09a1ef60bcd374c6f6efe7a1323ea0de39d 602046
python-exactimage_0.8.9-1_amd64.deb
Checksums-Sha256:
ea827bc78bee50a580c5a2ccbe280b2405c4bb08589540e5d3b2efb59d5d0e76 2473
exactimage_0.8.9-1.dsc
d2ac52a7fc3057bad5ad6cd8a9f084362da5b6f340ac3714cb5fd6162dbd2a7d 334305
exactimage_0.8.9.orig.tar.gz
c0324a3d7fd33a6e5cd3ef5f578bf7261a408853f295aba73d48ac211d000ef3 33058
exactimage_0.8.9-1.debian.tar.gz
da3a9edf472b6e9604a34015493426c9ad40f0dacddfedb82bb656f43bae9663 809386
exactimage_0.8.9-1_amd64.deb
0263843de672bce19a14efa58923d4b4304bd11001b0eb9f3506055f3d7a56a6 348144
edisplay_0.8.9-1_amd64.deb
70f7738aa84a3348189d7f04d707776b904ff642f23c265dae666e45cbe363a3 22415142
exactimage-dbg_0.8.9-1_amd64.deb
5b61b256303fa1c62c2a245adfb13d84a9ce486e518be9710c631c4ddfab9378 612288
libexactimage-perl_0.8.9-1_amd64.deb
95dbffaa7333807fc627de4ea1d94dcc82f6a26be3aa0342753c2758af1029d8 600982
php5-exactimage_0.8.9-1_amd64.deb
084a7ac548962bb002be20f21d59f77fd1649de01dd01dc6206187bb8f075eb6 602046
python-exactimage_0.8.9-1_amd64.deb
Files:
6dbe7dc229d587855b471a868448b377 2473 graphics optional exactimage_0.8.9-1.dsc
56d297cbaa9fb0755714316bf420b1bf 334305 graphics optional
exactimage_0.8.9.orig.tar.gz
6f5c4e2628b0538c063602928718e741 33058 graphics optional
exactimage_0.8.9-1.debian.tar.gz
7e4848f50ba147ef737a7324816f3459 809386 graphics optional
exactimage_0.8.9-1_amd64.deb
1f1c7cd19816ba7c52e00e6be361b640 348144 graphics optional
edisplay_0.8.9-1_amd64.deb
9eaca8358701b35e01385f9b1cad11cb 22415142 debug extra
exactimage-dbg_0.8.9-1_amd64.deb
01224f36c55f55f10fc7cc4e01364252 612288 perl optional
libexactimage-perl_0.8.9-1_amd64.deb
287386f12e5febe2b516177b6ad03d06 600982 php optional
php5-exactimage_0.8.9-1_amd64.deb
7d44f0ca0ebbb5eb7e8265b374060561 602046 python optional
python-exactimage_0.8.9-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBCgAGBQJSH1rIAAoJEF2HCgfBJntGuQYQAL2iz2lzbgyqNew9WqUcqfKA
YiedcexMOuR+hBz+JdpgBDrSmx7pqyCljJ6H9ZmDjPLVUhKLdABceU8EItlY1vDc
kF3J2Giy6CVHqiVv6JZfTeh9Hu5xe+XHH9XfOkfOT+ufEGjIsQeHchF0upDUa0Xc
muYKaBAP72QN5fkEiPVatKezzWCobGqEPZYlp5/lcGMLU5z6s2Nz1SQT57rsIT5a
hCHISUcTHg6CS2eFlNnypVZ7B5FULTQ6jI3F7t8oBJ5JsMMNiR/6L8OTBxFv7Tkw
nU48fLYCrf4/pGW0mTwHSJ16PdpiejXAaozNFPDQmMTI5urX3pNsAIai5hiCGHUq
xMGI52K1lQgGeZt95RW1FJ2Issek+sJuigMsuiNj1cD2VqfLBTgClNi7MjAAsAat
jwciYNUf4TPsC9gWZLznnak+fD9aFlUy6q5w2IMI6i1yvybsL8dP30MZu4mjnbeS
EFzoy4t0wdyIOsdayCRjeoy5D0X+t31bdy6C6Hk5WwEiVZjS7urbxtLDf7c8bVPW
88lzpr2dv8FIp41l6qGmso7i7gDFZxG5WN3h7oQ1xyxyKNbMU5GNz/fXFgG82X96
3Hf55DkWhZjTIyVjSqCnuh6yOgGTz24BQ/l012tAFF7Qsm+I6HHRERpIxOH4igR4
SrenyIRVcPMad3etgz99
=bW5S
-----END PGP SIGNATURE-----
--- End Message ---
