Your message dated Sat, 09 May 2026 08:34:52 +0000
with message-id <[email protected]>
and subject line Bug#1133923: fixed in libexif 0.6.24-1+deb12u1
has caused the Debian Bug report #1133923,
regarding libexif: CVE-2026-40386
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133923
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libexif
Version: 0.6.25-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libexif.
CVE-2026-40386[0]:
| In libexif through 0.6.25, an integer underflow in size checking for
| Fuji and Olympus MakerNote decoding could be used by attackers to
| crash or leak information out of libexif-using programs.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40386
https://www.cve.org/CVERecord?id=CVE-2026-40386
[1]
https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libexif
Source-Version: 0.6.24-1+deb12u1
Done: Emmanuel Arias <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libexif, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Arias <[email protected]> (supplier of updated libexif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 20 Apr 2026 07:42:42 -0300
Source: libexif
Architecture: source
Version: 0.6.24-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: Emmanuel Arias <[email protected]>
Closes: 1131116 1133922 1133923
Changes:
libexif (0.6.24-1+deb12u1) bookworm; urgency=medium
.
* Team upload.
* d/patches/CVE-2026-40386.patch Add patch for CVE-2026-40386.
- An integer underflow in size checking for Fuji and Olympus MakerNote
decoding could be used by attackers to crash or leak information out
of libexif-using programs (Closes: #1133923).
* d/patches/CVE-2026-40385.patch: Add patch for CVE-2026-40385.
- An unsigned 32bit integer overflow in Nikon MakerNote handling could
be used by local attackers to cause crashes or information leaks.
(Closes: #1133922).
* d/patches/CVE-2026-32775.patch: Add patch for CVE-2026-32775.patch.
- If the exif_mnote_data_get_value function in MakerNotes gets passed
in a 0 size, the passed in-buffer would be overwritten due to an
integer underflow (Closes: #1131116).
Checksums-Sha1:
1b09676ca50532eb3d8d29ecfee6eb8d5ea06ffa 2136 libexif_0.6.24-1+deb12u1.dsc
e7c156763b2a597ba687cd99a42f8ab47e9aa7ea 13356
libexif_0.6.24-1+deb12u1.debian.tar.xz
a1469c59ab8918f9196e8b56a4a34addf2ef724f 9508
libexif_0.6.24-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
966c6129c35f398ec868398e126496764c3afabe5f3ec3e8b7f1eba61144b4f6 2136
libexif_0.6.24-1+deb12u1.dsc
ddf8224fe0d54ab840e2f85f4e0a219103079b043ec59ca6f900d7476927e613 13356
libexif_0.6.24-1+deb12u1.debian.tar.xz
0e5bacca5d06dcc0c3abd5e17b8c8a643db0b960182b421218d8f490b9d3256d 9508
libexif_0.6.24-1+deb12u1_amd64.buildinfo
Files:
74fa6801eed54778cb5f318d26cf65f2 2136 libs optional
libexif_0.6.24-1+deb12u1.dsc
4bd28e346babbc93a9175ae729853657 13356 libs optional
libexif_0.6.24-1+deb12u1.debian.tar.xz
ead7bbe9b28cf25de3489b29e4140a0c 9508 libs optional
libexif_0.6.24-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEE3lnVbvHK7ir4q61+p3sXeEcY/EFAmn+YMYSHGVhbWFudUBk
ZWJpYW4ub3JnAAoJEPqd7F3hHGPxUJkP+wTW/zj+KQlpM0fDaFIPbC6OtvDNvYLx
ukv0ALvxyynnDcbLgEbkMe35WbH5P6Ciygw4DbjmlwjoFzw7OlFymos1HNlrjwZF
yDfDzxC0zqHDsSi9aKBdq9AVsaw1HQQZV5zvTKRMExUCgtmGtwyNNr616+aKx00t
WGUoqdYQiCpFYUZFF5kHa6Rpup9IUCAFKHjhKxOab8Fwv7H6zjE0T6Nwc9Ur7KHM
3APF08Vb32bwSzw/jfE/yTLDDo0FiNk4ZOlXjLzjnGNuHsi4mde78oR5w7DN+AmJ
Fzw1/vWao2nh1djnT9g3I/Z70550/shmVwX4uV3WcVtg7UA+B9+kU7NpCcQEoLLk
NMT39dLnUqnMJxUoHz66EV+7QoWMs4ISNROEm1/Ji/c1BTY0qGXCPHPtdypijn0k
wWzj4HSEs5ETNUuUKYLRHvBXtiHtvQtC+CljTrMNBZwZOFJKhU6wPMpGg4loETFQ
dO61PrM4Su4HE4MnzgKA1grlzJTBG2Y3Qe7merYnAYPck2MBxBw5NDOHhMmTeEY/
K8AR8m/NRQblP0aMWny/IAbDTuQBS32lb4Xq9TcMuRSVhX/skC+Mz0J8zUyWb/kl
+yMbNlfmHpcT4lA7kxFzdnMuOZ6RpWoOUakglTVB84hLOmTDjaB1zrq7oJIDTtmL
ZSsDQC3hp6LT
=+DHZ
-----END PGP SIGNATURE-----
pgpnZ96R11eKY.pgp
Description: PGP signature
--- End Message ---
