Your message dated Wed, 04 Jul 2018 20:47:11 +0000
with message-id <[email protected]>
and subject line Bug#901706: fixed in exiv2 0.25-3.1+deb9u1
has caused the Debian Bug report #901706,
regarding exiv2: CVE-2018-12265
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
901706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901706
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: exiv2
Version: 0.25-3.1
Severity: important
Tags: security upstream
Forwarded: https://github.com/Exiv2/exiv2/issues/365
Hi,
The following vulnerability was published for exiv2.
CVE-2018-12265[0]:
| Exiv2 0.26 has an integer overflow in the LoaderExifJpeg class in
| preview.cpp, leading to an out-of-bounds read in Exiv2::MemIo::read in
| basicio.cpp.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-12265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12265
[1] https://github.com/Exiv2/exiv2/issues/365
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: exiv2
Source-Version: 0.25-3.1+deb9u1
We believe that the bug you reported is fixed in the latest version of
exiv2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roberto C. Sanchez <[email protected]> (supplier of updated exiv2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 Jun 2018 08:09:36 -0400
Source: exiv2
Binary: exiv2 libexiv2-14 libexiv2-dev libexiv2-doc libexiv2-dbg
Architecture: source amd64 all
Version: 0.25-3.1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian KDE Extras Team <[email protected]>
Changed-By: Roberto C. Sanchez <[email protected]>
Description:
exiv2 - EXIF/IPTC/XMP metadata manipulation tool
libexiv2-14 - EXIF/IPTC/XMP metadata manipulation library
libexiv2-dbg - EXIF/IPTC/XMP metadata manipulation library - debug
libexiv2-dev - EXIF/IPTC/XMP metadata manipulation library - development files
libexiv2-doc - EXIF/IPTC/XMP metadata manipulation library - HTML documentation
Closes: 901706 901707
Changes:
exiv2 (0.25-3.1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2018-10958: denial of service through memory exhaustion and
application crash by a crafted PNG image.
* CVE-2018-10999: a heap-based buffer over-read via a crafted PNG image.
* CVE-2018-10998: denial of service through memory exhaustion and
application crash by a crafted image.
* CVE-2018-11531: a heap-based buffer overflow and application crash by a
crafted image.
* CVE-2018-12264: integer overflow leading to out of bounds read by a
crafted image. (Closes: #901707)
* CVE-2018-12265: integer overflow leading to out of bounds read by a
crafted image. (Closes: #901706)
Checksums-Sha1:
0c37645bf6bf7c74e761ab1569e9621a8eba75fe 2304 exiv2_0.25-3.1+deb9u1.dsc
adb8ffe63916e7c27bda9792e690d1330ec7273d 5434325 exiv2_0.25.orig.tar.gz
38f74c4d2371e66116f3955a164a058ce38fdeb6 26540
exiv2_0.25-3.1+deb9u1.debian.tar.xz
72aae5add7dc6feea92b22179e07bc0b36d3c2b8 9284
exiv2_0.25-3.1+deb9u1_amd64.buildinfo
655f2b9c182d89e8b828913fa674a216b1a7262a 108374 exiv2_0.25-3.1+deb9u1_amd64.deb
d7d2d94af492125d854e72ddde07539e93cfc1be 711486
libexiv2-14_0.25-3.1+deb9u1_amd64.deb
a9616d929920ca54a991ae8651438b355059d43d 6259034
libexiv2-dbg_0.25-3.1+deb9u1_amd64.deb
bfebbb866f466626d5c6696afa89c1ebf5976edc 7525488
libexiv2-dev_0.25-3.1+deb9u1_amd64.deb
9cdb4c88984de048de54e88b97c60a8e8479fd9e 20172172
libexiv2-doc_0.25-3.1+deb9u1_all.deb
Checksums-Sha256:
2b6c0b81178506feab3c69724a42443200fe5aa91665028a7aa1618e39fab607 2304
exiv2_0.25-3.1+deb9u1.dsc
c80bfc778a15fdb06f71265db2c3d49d8493c382e516cb99b8c9f9cbde36efa4 5434325
exiv2_0.25.orig.tar.gz
2a24fa184ae4a38b1d1292c3286f089100b626ae056355de8c5be73ba0e4b0b8 26540
exiv2_0.25-3.1+deb9u1.debian.tar.xz
1170947777585eb5f3a12c671535e9beaddaec9bad257af5a0e2a07ca3255d6b 9284
exiv2_0.25-3.1+deb9u1_amd64.buildinfo
00c06e973d12a68495389a2910201a9a92bb1ac5d5abf64c17ce7754b69b5a85 108374
exiv2_0.25-3.1+deb9u1_amd64.deb
390c2b760f3305279d5234a11fb65d25679d5ef34d7ed18061f7399faaaabcec 711486
libexiv2-14_0.25-3.1+deb9u1_amd64.deb
daeae9d88228bb78b083235069666929384710b3a13d2abeb9706447f3404883 6259034
libexiv2-dbg_0.25-3.1+deb9u1_amd64.deb
45332ef636b894a8acdd0228e7ed6354814e51dd7790aa97ab286c018a201eed 7525488
libexiv2-dev_0.25-3.1+deb9u1_amd64.deb
090f6efc576d3dae31426781fce20f91c6151ce400203b679f67931f4bd3d5ba 20172172
libexiv2-doc_0.25-3.1+deb9u1_all.deb
Files:
4c377d1c6ca4d94a36d6db1b1a3e882e 2304 graphics optional
exiv2_0.25-3.1+deb9u1.dsc
258d4831b30f75a01e0234065c6c2806 5434325 graphics optional
exiv2_0.25.orig.tar.gz
8c6d5de6827f13177285925913140b3d 26540 graphics optional
exiv2_0.25-3.1+deb9u1.debian.tar.xz
1f9c6bd0c277f63844244036ad47bc3a 9284 graphics optional
exiv2_0.25-3.1+deb9u1_amd64.buildinfo
a6a28ec4edad97944f4be78d70ba6036 108374 graphics optional
exiv2_0.25-3.1+deb9u1_amd64.deb
f22d1202cd7c0f5445f958554a27c631 711486 libs optional
libexiv2-14_0.25-3.1+deb9u1_amd64.deb
ba1e096ed59b3d384e325644a00f7507 6259034 debug extra
libexiv2-dbg_0.25-3.1+deb9u1_amd64.deb
3d43e9402856d0ecadb3166fcfdc7264 7525488 libdevel optional
libexiv2-dev_0.25-3.1+deb9u1_amd64.deb
ec53ca2c02b71894159276666f481d95 20172172 doc optional
libexiv2-doc_0.25-3.1+deb9u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAls32jQACgkQLNd4Xt2n
sg/zRQ/+LCqNOWBnPiKQzwMKSfeVPgrIk/9vcbDnLFBeXd9WTZv1Z+I/7lvRAoxI
DXYjI/fMhAXSNcWdDzL+Uzk5rUF8c8DX/6gemHSS83Z/luj4pleS+nQRP0Vx6Llh
OE3g0FeH3NDEYb+uzSLxqCmtI+9m2CR8XBrjywupJSbU1gVs7BSp9Ino+0Xm3LIx
f7iYJH4sBAf2mjIe+KAVQNJ7i4dtst53XYU9VOXFBnFWnBeFxHtH4Z3JrQ/OPPf+
lnFcnRaj4wYJGQgJMS12k0Y3lR9NkhwlnUmGflMX2MYRnUkFqr6ZlC9UpMIM9sLp
53/jgRzZC7ZL8f/UHIVDcxT3MYwoQC8GwRKFItVO+3H+S9/xaXk9bJIgj5jM7l51
kJznznABmUAf0dgAT4kej2XH135CkHq+ub+qtwgKoHfajHqK+lHSesZbnFc6nAf8
IhTRY5kAN6DsKN+X88kDi2Gve4uE/2Ko2jIFL0E9AgYM1SBKvDDPSkbzCuXl/XOb
1gbHTUWAFshkEe4y45oBCGCLon2jsGAroxVltF7ZvlUG7+3jSbGDf91eTtkH6RGt
Q7WRdX0b7lEoLVu2hiBxJdks8gTHJdZqut+T8WiMKMZOOhPAWoNHQqhs4ueTB/Ab
suJM6pNEbt1It59Y0THi5gXeM1YOoMU1aXaEoWVix2sxoWS8JOw=
=y6eR
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
pkg-kde-extras mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-extras
