Your message dated Thu, 19 Nov 2009 23:03:29 +0000
with message-id <e1nbg2d-0002wp...@ries.debian.org>
and subject line Bug#557137: fixed in libexif 0.6.19-1
has caused the Debian Bug report #557137,
regarding libexif: CVE-2009-3895: heap buffer overflow when processing certain
images
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
557137: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557137
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libexif12
Version: 0.6.18-1
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libexif.
Vulnerability description[0]:
> A flaw in libexif was discovered that causes a heap buffer to overflow
> when certain invalid EXIF images are processed. The flaw occurs in the
> tag fixup routine which attempts to convert in place an array of 8-bit
> integers into 16-bit integers. This fixup is performed by default after
> reading an image and until version 0.6.18 there was no easy way to disable
> it, so it is likely that nearly all applications using libexif to read
> images are vulnerable.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://article.gmane.org/gmane.comp.graphics.libexif.devel/806
http://security-tracker.debian.org/tracker/CVE-2009-3895
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
Source: libexif
Source-Version: 0.6.19-1
We believe that the bug you reported is fixed in the latest version of
libexif, which is due to be installed in the Debian FTP archive:
libexif-dev_0.6.19-1_amd64.deb
to main/libe/libexif/libexif-dev_0.6.19-1_amd64.deb
libexif12_0.6.19-1_amd64.deb
to main/libe/libexif/libexif12_0.6.19-1_amd64.deb
libexif_0.6.19-1.diff.gz
to main/libe/libexif/libexif_0.6.19-1.diff.gz
libexif_0.6.19-1.dsc
to main/libe/libexif/libexif_0.6.19-1.dsc
libexif_0.6.19.orig.tar.gz
to main/libe/libexif/libexif_0.6.19.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 557...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bouthenot <kol...@openics.org> (supplier of updated libexif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 19 Nov 2009 22:38:27 +0000
Source: libexif
Binary: libexif-dev libexif12
Architecture: source amd64
Version: 0.6.19-1
Distribution: unstable
Urgency: high
Maintainer: Debian PhotoTools Maintainers
<pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Emmanuel Bouthenot <kol...@openics.org>
Description:
libexif-dev - library to parse EXIF files (development files)
libexif12 - library to parse EXIF files
Closes: 557137
Changes:
libexif (0.6.19-1) unstable; urgency=high
.
* New upstream release
- fix CVE-2009-3895: heap buffer overflow during tag format conversion
(Closes: #557137)
Checksums-Sha1:
bcec3517ed596467c40b352b6960d97b14f13d93 1348 libexif_0.6.19-1.dsc
ce669ea945beb9cd636f0dd8f723d006138aa13c 1699222 libexif_0.6.19.orig.tar.gz
2fdab86139edbf4031a67982409ce73d92f11911 5392 libexif_0.6.19-1.diff.gz
e0957828f6ef24222ae100c43cd482503182cf42 374436 libexif-dev_0.6.19-1_amd64.deb
4608b8d75f32719d82f309e3f13cad90739e7c26 505088 libexif12_0.6.19-1_amd64.deb
Checksums-Sha256:
ed3ba20379680dfcd8e6c466c0afdd5b9aea399183b76ba24a959d5283cca88d 1348
libexif_0.6.19-1.dsc
b2d8a609f2900d94e6ed874197936cc45f3a84bc498382d56b389108abc9b228 1699222
libexif_0.6.19.orig.tar.gz
91d3cb5e4ed61f69fa1d3111851b0bbdec7fc506d2b9268649edccaab8136872 5392
libexif_0.6.19-1.diff.gz
1abd6b1369dbdf63e7296f954959fba568369400197aa1022ab9f23feba12a94 374436
libexif-dev_0.6.19-1_amd64.deb
59fe2f36b8b64de42a287924ff97aeb8bdc1c136a631dbf226df9bc58925100c 505088
libexif12_0.6.19-1_amd64.deb
Files:
66f97c5adb9641396ae90eba5d577024 1348 libs optional libexif_0.6.19-1.dsc
986741d9e5e0cbf9642eb2893c885e8a 1699222 libs optional
libexif_0.6.19.orig.tar.gz
2a1397503f99afd0e3c3b5150f770889 5392 libs optional libexif_0.6.19-1.diff.gz
ba1057791fd9ce55d73043a74f0816d7 374436 libdevel optional
libexif-dev_0.6.19-1_amd64.deb
ca986f66d001a54c7fcfe5654dfc73c2 505088 libs optional
libexif12_0.6.19-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksFy3YACgkQpHXqGUFOw25Y0QCbB/WUSFTy7iFirPEjgYZkcVJ6
p88AnikFa5wOESw1euR+8dHLg37lbSNp
=AIWI
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-phototools-devel mailing list
Pkg-phototools-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-phototools-devel
