Your message dated Tue, 28 Jan 2020 23:18:39 +0100
with message-id <4053006.7PYGpGPFRf@thyrus>
and subject line Exiv2 bug fixed in 0.27
has caused the Debian Bug report #885981,
regarding exiv2: CVE-2017-18005: Null Pointer Dereference in the 
Exiv2::DataValue::toLong function
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
885981: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885981
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: exiv2
Version: 0.24-1
Severity: normal
Tags: patch security upstream
Forwarded: https://github.com/Exiv2/exiv2/issues/168

Hi,

the following vulnerability was published for exiv2.

CVE-2017-18005[0]:
| Exiv2 0.26 has a Null Pointer Dereference in the
| Exiv2::DataValue::toLong function in value.cpp, related to crafted
| metadata in a TIFF file.

The underlying issue according to [2] is that the code is trying to
pring a value in the if statement:

if (Params::instance().printItems_ & Params::prValue)

when this might not be possible. Fix is done via [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-18005
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18005
[1] https://github.com/Exiv2/exiv2/issues/168
[2] https://github.com/Exiv2/exiv2/pull/199

Please adjust the affected versions in the BTS as needed, please
double check my assessment for it back to 0.24-1 is done right.
The poc does not trigger, if I'm not completely wrong the affected
code is there.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: exiv2
Source-Version: 0.27.2-1

Hi,

this bug was fixed upstream in Exiv2 0.27. Hence, closing with the
first version uploaded to Debian, 0.27.2-1.

Thanks,
-- 
Pino Toscano

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
_______________________________________________
pkg-kde-extras mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-extras

Reply via email to