Your message dated Fri, 28 Apr 2023 13:43:33 +0000
with message-id
<CAOuTi9UphWuTmSZXTX98kzOstB=ypbxolzlbvbbarfeukgd...@mail.gmail.com>
and subject line Re: CVE-2021-21235
has caused the Debian Bug report #985309,
regarding CVE-2021-21235
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
985309: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985309
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-kamadak-exif
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Hi
I looked at this, and it's only exactly version 0.5.2 that is
vulnerable, according to this page:
https://rustsec.org/advisories/RUSTSEC-2021-0143.html
Patched >=0.5.3
Unaffected <0.5.2
I also tried backporting the verifying unit test from
https://github.com/kamadak/exif-rs/commit/f21df24616ea611c5d5d0e0e2f8042eb74d5ff48
to the version packaged in debian and the vulnerable function
read_from_container doesn't exist in that version.
best regards
Alexander Kjäll
--- End Message ---
