Your message dated Thu, 23 Jan 2020 21:24:09 +0000
with message-id <[email protected]>
and subject line Bug#945948: fixed in libexif 0.6.21-6
has caused the Debian Bug report #945948,
regarding libexif: CVE-2019-9278
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
945948: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945948
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libexif
Version: 0.6.21-5.1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libexif/libexif/issues/26
Control: found -1 0.6.21-2
Hi,
The following vulnerability was published for libexif.
CVE-2019-9278[0]:
| In libexif, there is a possible out of bounds write due to an integer
| overflow. This could lead to remote escalation of privilege in the
| media content provider with no additional execution privileges needed.
| User interaction is needed for exploitation. Product: AndroidVersions:
| Android-10Android ID: A-112537774
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9278
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9278
[1] https://github.com/libexif/libexif/issues/26
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libexif
Source-Version: 0.6.21-6
We believe that the bug you reported is fixed in the latest version of
libexif, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hugh McMaster <[email protected]> (supplier of updated libexif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Jan 2020 20:03:01 +1100
Source: libexif
Architecture: source
Version: 0.6.21-6
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: Hugh McMaster <[email protected]>
Closes: 945948
Changes:
libexif (0.6.21-6) unstable; urgency=medium
.
* Team upload.
* Acknowledge NMU by Salvatore Bonaccorso.
* debian/changelog: Remove trailing whitespace.
* debian/control:
- Build-Depend on debhelper-compat (=12).
- Raise Standards-Version to 4.5.0 from 4.1.3 (no changes needed).
- Declare Rules-Requires-Root: no.
* debian/patches: Add upstream patches by Marcus Meissner:
- Avoid the use of unsafe integer overflow checking constructs
(CVE-2019-9278) (Closes: #945948).
- Avoid implicit behaviour by casting to unsigned int before shifting left.
* debian/rules: Do not manually install libexif.pc into a multi-arch libdir.
* libexif12.symbols: Specify libexif-dev in the Build-Depends-Package
meta-information field.
* Add Debian upstream/metadata file.
Checksums-Sha1:
cd28864ad1cbe6ce5c6f0e8297abfaff0aa696ef 2114 libexif_0.6.21-6.dsc
bcffed1201c35e317a24b1b6f6141fa433fef58d 14412 libexif_0.6.21-6.debian.tar.xz
5a4552ced742e3ed1a82e49a6b98e32d99579535 8025 libexif_0.6.21-6_amd64.buildinfo
Checksums-Sha256:
aa9fb80b036a5162782edf08055ddc54bd55881b7850a4cca4dc47a6a4ea10a4 2114
libexif_0.6.21-6.dsc
42ec61a88746a23d211dfded1ef620797959f45b90497d888562968eb3dfe17c 14412
libexif_0.6.21-6.debian.tar.xz
31efc55b3ebd3d680bb109585ab09556792826728547b802c6646fa1e97e639a 8025
libexif_0.6.21-6_amd64.buildinfo
Files:
0e942902cffd2af1d10c828635d263f4 2114 libs optional libexif_0.6.21-6.dsc
3b6cffaa4173ecb09d48a744db027e01 14412 libs optional
libexif_0.6.21-6.debian.tar.xz
f097ab8ae8aef1ff1177fad2780635ef 8025 libs optional
libexif_0.6.21-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAl4qArYACgkQwpPntGGC
Ws6qwA//XvO7oVdgGPrYfDCdAZP1aOZ4JPjwgcQtT94Yq1gqQuYW1NfvWLIQ/N5L
11ljP5T3oqkhB5iQEHRLBg0ixySzSv9q1EU39uare8uTIPQ3mPjnhjCtos0OAfPv
wPRqxBp2Jg1HhlWKnAJsiHlO6TdI7oRVIHptuGwS+C9REtjDkWObSfdBAuXadtKO
OxH7c36uwV9S/2c/ydNNgphuiRleoqmrPFwtlm8XKb95pXTbUMBaX+uGPlR6W4Y2
YYnvVYqA41wQWb3owaxqVmjpzLOVy6V64WESgQOw2fLyqICiFTYQdLZAJBJ9Nr6f
LG7DGyo+vih4Rv23T+aERelDlBYEh+jjanfbVKaCEkH+hoeetvaeY5/4DuL9g3kz
+CU0dQ4gvbEJU9QKWUxpExsYiMh9yD92jt7aCw4obDUrazw3tuiPWIblKrNjnGOK
FzpfTuQAHAW1lnpfInzcGznxdl91N36Iw2LaknkCFMTvdTxeYkhPz/71O9i1EDem
eoLEQ7PPl5PGhxMUMaNael2wVBE75yu2tZjcJioYa/jkoegsj8EATIdUj13272dR
GRIaNzIxVUGL2CR08zZPMIWFqUNh5EwBSBt0l4mtPLE1WLTrSS+GfnXe44u6PR7L
CFOmwhXYIdKklwnJTaTYv9c4vNsnp0BwkBSzXA2NdkO0Tt0o3NU=
=1NsU
-----END PGP SIGNATURE-----
--- End Message ---
