Bug#868578: CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340
Fixed and backported to 0.26 upstream: https://github.com/Exiv2/exiv2/issues/49 https://github.com/Exiv2/exiv2/issues/50 https://github.com/Exiv2/exiv2/issues/51 https://github.com/Exiv2/exiv2/issues/52 https://github.com/Exiv2/exiv2/issues/53
Bug#868578: [Pkg-kde-extras] Bug#868578: CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340
Hi On Mon, Jul 17, 2017 at 01:36:41PM +0200, Maximiliano Curia wrote: > Control: notfound -1 0.25-3.1 > Control: found -1 0.26-1 > > ??Hola Moritz! > > El 2017-07-16 a las 22:49 +0200, Moritz Muehlenhoff escribi??: > > Package: exiv2 Version: 0.25-3.1 Severity: important Tags: security > > > > Please see: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335 > > This one seems to be libtiff specific, if this is reproducible with exiv2, > please let me know how to reproduce it. I think that one was a copy-paste glitch, it is for src:tiff, cf. https://security-tracker.debian.org/tracker/CVE-2017-11335 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11338 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11339 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11340 > > I couldn't reproduce these with 0.25-3.1, but these issues are clearly there > for 0.26-1. Thanks for the heads up, I guess we would either skip 0.26 for > unstable or, at least, wait till these issues are patched. Hmm, not beeing able to reproduce does not necessarly mean the issue is not present. Is there source-wise evidence that they do not affect versions prior to 0.26? AFAICT at least the Image::printIFDStructure* functions are not present in older versions as exiv2 in unstable. Regards, Salvatore
Bug#868578: [Pkg-kde-extras] Bug#868578: CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340
Control: notfound -1 0.25-3.1 Control: found -1 0.26-1 ¡Hola Moritz! El 2017-07-16 a las 22:49 +0200, Moritz Muehlenhoff escribió: Package: exiv2 Version: 0.25-3.1 Severity: important Tags: security Please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335 This one seems to be libtiff specific, if this is reproducible with exiv2, please let me know how to reproduce it. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11340 I couldn't reproduce these with 0.25-3.1, but these issues are clearly there for 0.26-1. Thanks for the heads up, I guess we would either skip 0.26 for unstable or, at least, wait till these issues are patched. Happy hacking, -- "Politicians and diapers have one thing in common. They should both be changed regularly, and for the same reason." ― José Maria de Eça de Queiroz Saludos /\/\ /\ >< `/ signature.asc Description: PGP signature
Bug#868578: CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340
Package: exiv2 Version: 0.25-3.1 Severity: important Tags: security Please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11340 Cheers, Moritz