Your message dated Mon, 05 Jun 2017 21:04:42 +0000 with message-id <e1dhzb4-0001gi...@fasolo.debian.org> and subject line Bug#863410: fixed in exiv2 0.25-3.1 has caused the Debian Bug report #863410, regarding exiv2: CVE-2017-9239 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 863410: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863410 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: exiv2 Version: 0.24-4.1 Severity: important Tags: security upstream Hi, the following vulnerability was published for exiv2. CVE-2017-9239[0]: | An issue was discovered in Exiv2 0.26. When the data structure of the | structure ifd is incorrect, the program assigns pValue_ to 0x0, and the | value of pValue() is 0x0. TiffImageEntry::doWriteImage will use the | value of pValue() to cause a segmentation fault. To exploit this | vulnerability, someone must open a crafted tiff file. "Demostrable" with convert-test, in unstable, but I think the very same issue should be in 0.24 as well, since the code path should be the same (but please confirm): Program terminated with signal SIGSEGV, Segmentation fault. #0 Exiv2::Internal::TiffImageEntry::doWriteImage (this=0x55fbc5220620, ioWrapper=...) at tiffcomposite.cpp:1610 1610 } // TiffIfdMakernote::doWriteImage (gdb) bt #0 Exiv2::Internal::TiffImageEntry::doWriteImage (this=0x55fbc5220620, ioWrapper=...) at tiffcomposite.cpp:1610 #1 0x00007f609169cb6d in Exiv2::Internal::TiffComponent::writeImage ( byteOrder=Exiv2::littleEndian, ioWrapper=..., this=<optimized out>) at tiffcomposite.cpp:1555 #2 Exiv2::Internal::TiffDirectory::doWriteImage (this=0x55fbc521fc20, ioWrapper=..., byteOrder=Exiv2::littleEndian) at tiffcomposite.cpp:1570 #3 0x00007f60916a4f31 in Exiv2::Internal::TiffComponent::writeImage ( byteOrder=Exiv2::littleEndian, ioWrapper=..., this=0x55fbc521fc20) at tiffcomposite.cpp:1555 #4 Exiv2::Internal::TiffDirectory::doWrite (this=<optimized out>, ioWrapper=..., byteOrder=Exiv2::littleEndian, offset=8, valueIdx=<optimized out>, dataIdx=3142, imageIdx=@0x7ffe1b26439c: 3240) at tiffcomposite.cpp:1200 #5 0x00007f60916ab41b in Exiv2::Internal::TiffParserWorker::encode (io=..., pData=pData@entry=0x7f6091c25000 <error: Cannot access memory at address 0x7f6091c25000>, size=size@entry=459, exifData=..., iptcData=..., xmpData=..., root=131072, findEncoderFct=<optimized out>, pHeader=<optimized out>, pOffsetWriter=0x0) at tiffimage.cpp:2176 #6 0x00007f60916ac29c in Exiv2::TiffParser::encode (io=..., pData=pData@entry=0x7f6091c25000 <error: Cannot access memory at address 0x7f6091c25000>, size=size@entry=459, byteOrder=byteOrder@entry=Exiv2::littleEndian, exifData=..., iptcData=..., xmpData=...) at tiffimage.cpp:276 #7 0x00007f60916ac3f3 in Exiv2::TiffImage::writeMetadata (this=0x55fbc521c640) at tiffimage.cpp:219 #8 0x000055fbc4746121 in main (argc=<optimized out>, argv=<optimized out>) at convert-test.cpp:30 (gdb) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9239 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9239 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: exiv2 Source-Version: 0.25-3.1 We believe that the bug you reported is fixed in the latest version of exiv2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 863...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Muehlenhoff <j...@debian.org> (supplier of updated exiv2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 05 Jun 2017 22:42:20 +0200 Source: exiv2 Binary: exiv2 libexiv2-14 libexiv2-dev libexiv2-doc libexiv2-dbg Architecture: source amd64 all Version: 0.25-3.1 Distribution: unstable Urgency: medium Maintainer: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org> Changed-By: Moritz Muehlenhoff <j...@debian.org> Description: exiv2 - EXIF/IPTC/XMP metadata manipulation tool libexiv2-14 - EXIF/IPTC/XMP metadata manipulation library libexiv2-dbg - EXIF/IPTC/XMP metadata manipulation library - debug libexiv2-dev - EXIF/IPTC/XMP metadata manipulation library - development files libexiv2-doc - EXIF/IPTC/XMP metadata manipulation library - HTML documentation Closes: 863410 Changes: exiv2 (0.25-3.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2017-9239 (Closes: #863410) Checksums-Sha1: 849ccab9fdb77673f9b2c6316e4815476bc9f8f3 2276 exiv2_0.25-3.1.dsc 74610e65fdee1f574151a83d5c95a010d4aa912b 20320 exiv2_0.25-3.1.debian.tar.xz e3b63460762b991715e16d1ce8cd2894ec3cf756 8699 exiv2_0.25-3.1_amd64.buildinfo b81e798b89b509cfe1c787a585b78fa7c98b0b5f 108212 exiv2_0.25-3.1_amd64.deb ad3860b62884f7eb932b41c673977d91212ba51c 710864 libexiv2-14_0.25-3.1_amd64.deb d45cec8bd486ed7efe793d1cfdc5a4ac3047acf2 6251662 libexiv2-dbg_0.25-3.1_amd64.deb be5ba73a6578da320cf72789252fb4f421ca07b9 1545300 libexiv2-dev_0.25-3.1_amd64.deb d0dba9023561d72903a331ba756f5408e35e935f 20235230 libexiv2-doc_0.25-3.1_all.deb Checksums-Sha256: 15400cca0136f2f49cf2a58861731142f05b8144c6d24f0634576fc0eaca19c1 2276 exiv2_0.25-3.1.dsc f218974f4a93338cd45a2eb65507b409694a905fe0d3ff8c7d3091d91576f67c 20320 exiv2_0.25-3.1.debian.tar.xz 6038e93f8768ba4a7b869e65206e5626ba3105322029d259ac7386a6c874773d 8699 exiv2_0.25-3.1_amd64.buildinfo 3fe010cab4d4f1a77d7aa20b99eae8ee776f85979c39da25c5bbe6177eb526dc 108212 exiv2_0.25-3.1_amd64.deb 0fa5c8f6242b6786e7409a0f3ef46a1730c12797960780a8f9ad9f0f04864520 710864 libexiv2-14_0.25-3.1_amd64.deb 5a7936634e4ea4b683c064e14bd29a09c79d6bd48af9edd30818d8ffb39eae6e 6251662 libexiv2-dbg_0.25-3.1_amd64.deb 9480a7a2447b06403f648d5dfb8aeadc006bf9007b35cec201532110d5eeed34 1545300 libexiv2-dev_0.25-3.1_amd64.deb ec7d815c0e078ac6e4a63f59f139ead41a94c34d95213030076b1cbe239c53cd 20235230 libexiv2-doc_0.25-3.1_all.deb Files: 57c170b72189253529f2f9764add9a63 2276 graphics optional exiv2_0.25-3.1.dsc f4636f324dc3bbf33a5e4501de96b205 20320 graphics optional exiv2_0.25-3.1.debian.tar.xz e52e801916c0869d274cf00051dc55fd 8699 graphics optional exiv2_0.25-3.1_amd64.buildinfo b9e162d53c88332039c64ba5292b0fd6 108212 graphics optional exiv2_0.25-3.1_amd64.deb be62414c0c59f141b22d1cbfb5172610 710864 libs optional libexiv2-14_0.25-3.1_amd64.deb b0fbe7509bc4e695c6beedf6a98638a7 6251662 debug extra libexiv2-dbg_0.25-3.1_amd64.deb 1b383279d9de4fa2210791e98463f95b 1545300 libdevel optional libexiv2-dev_0.25-3.1_amd64.deb b977ce7ab380dab114f59b5118d21f3a 20235230 doc optional libexiv2-doc_0.25-3.1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlk1w5YACgkQEMKTtsN8 TjYNIw/6AlQqNIYkyghWJ2jVaF33A/E+TubaPuS7IvpNQYWz99GRfmtBKwm9QdiF ZlSjlTEY2ub6ExgqPHZOAgY1BZZY7zwdZiCqbARlbN32JjFMvItOnF6z1/lt1Qn5 pLSp4438XeFkNfs9ZjFasvMJtGlAeR0NO0DQp861rCHRSylHSI/avkzeP7AJdDS0 UjGyambm+KNwlVBlHsMUZXGEgFsYnBwk500B0CX+SmKZz2Olb8LWBX73ZGUeIYI6 S1cYU9zx1KhVqVgGofGOk/UYCQEDd0RmXtAgT2YpEc04oD2HqAmbwwpo8aPkjiyG 0A3k7jrMmjJMtfGKh7jhitd6Td56407wucUIYTT2Lm0NXrERDeyQUaTZgzoCOgUm io+olI2Xk2uLeAhbvlg0coOfgiK5JXtX5e1Dwp+FD4bV+QogQQVlIuyghQMTJPy/ oxdcwHmG4qegg2Y3cI1roOrckS6DHKC6/CiFGdyChWkMQXbM429MgPVfHi3KkA68 jQuwdWohx8+swL4io4tCAqZM6GlQuELgEyloZAc4qGYggh5jPTMrt6Kjn10RYD7b QQhnekXO7auMvDMJp5JFLMyWISZXyZ483zHck6saRca6obeNMm1pQp4chx7eoIyl fMPmX3MAobG6WcL++zL78ixEkinKvFzycLhM6ez3ZQUhBGSQnnw= =GyEZ -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-kde-extras mailing list pkg-kde-extras@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras
