Your message dated Sun, 01 Sep 2013 21:17:06 +0000
with message-id <[email protected]>
and subject line Bug#721236: fixed in exactimage 0.8.5-5+deb7u2
has caused the Debian Bug report #721236,
regarding CVE-2013-1438: exactimage: multiple vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
721236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721236
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libraw
Severity: important
Tags: security
Control: clone -1 -2 -3 -4 -5 -6 -7 -8 -9
Control: retitle -1 CVE-2013-1438: libraw: multiple vulnerabilities
Control: retitle -2 CVE-2013-1438: dcraw: multiple vulnerabilities
Control reassign -2 dcraw
Control: retitle -3 CVE-2013-1438: darktable: multiple vulnerabilities
Control reassign -3 darktable
Control: retitle -4 CVE-2013-1438: ufraw: multiple vulnerabilities
Control reassign -4 ufraw
Control: retitle -5 CVE-2013-1438: xbmc: multiple vulnerabilities
Control reassign -5 src:xbmc
Control: retitle -6 CVE-2013-1438: exactimage: multiple vulnerabilities
Control reassign -6 exactimage
Control: retitle -7 CVE-2013-1438: rawstudio: multiple vulnerabilities
Control reassign -7 rawstudio
Control: retitle -8 CVE-2013-1438: rawtherapee: multiple vulnerabilities
Control reassign -8 rawtherapee
Control: retitle -9 CVE-2013-1438: libkdcraw: multiple vulnerabilities
Control reassign -9 libkdcraw
Hi,
I found a few vulnerabilities in dcraw and are all covered by the
CVE-2013-1438 id:
"Specially crafted photo files may trigger a division by zero, an
infinite loop, or a null pointer dereference."
Alex Tutubalin, libraw upstream, has patched the vulnerabilities in
libraw and the patches should apply as-is to the vast majority of
embedders. For the details
http://www.openwall.com/lists/oss-security/2013/08/29/3
Please include the CVE id when fixing these vulnerabilities and
consider fixing them in old/stable via a {O,}SPU by following standard
procedures for stable release updates.
P.S. yes, the above Control list is annoying, but so is having so many
copies of the same code base in the archive.
Thanks,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
Source: exactimage
Source-Version: 0.8.5-5+deb7u2
We believe that the bug you reported is fixed in the latest version of
exactimage, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sven Eckelmann <[email protected]> (supplier of updated exactimage package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 29 Aug 2013 17:16:53 +0200
Source: exactimage
Binary: exactimage edisplay exactimage-dbg libexactimage-perl php5-exactimage
python-exactimage
Architecture: source amd64
Version: 0.8.5-5+deb7u2
Distribution: stable-security
Urgency: high
Maintainer: Daniel Stender <[email protected]>
Changed-By: Sven Eckelmann <[email protected]>
Description:
edisplay - fast image manipulation programs (image viewer)
exactimage - fast image manipulation programs
exactimage-dbg - fast image manipulation library (debug symbols)
libexactimage-perl - fast image manipulation library (Perl bindings)
php5-exactimage - fast image manipulation library (PHP bindings)
python-exactimage - fast image manipulation library (Python bindings)
Closes: 721236
Changes:
exactimage (0.8.5-5+deb7u2) stable-security; urgency=high
.
* Add debian/patches/CVE-2013-1438.patch,
Fix CVE-2013-1438: multiple denial of service vulnerabilities
(Closes: #721236)
Checksums-Sha1:
7a5ab00096f590f62c283f98e9f4bfef2bcc0143 2102 exactimage_0.8.5-5+deb7u2.dsc
d2aefa31c2989def9d182ee7b13d547511756d05 283873 exactimage_0.8.5.orig.tar.bz2
903c7f72a50bc0d8ed7c8f2a89d6f7c81d954670 29506
exactimage_0.8.5-5+deb7u2.debian.tar.gz
108917de7880cd2116f597a0c80af4a4453bcac3 4282506
exactimage_0.8.5-5+deb7u2_amd64.deb
bce3f1c2da2dcbeda130f253e60a2c3be6826756 616158
edisplay_0.8.5-5+deb7u2_amd64.deb
3505a207145f8ce42a233603f106cbea8703b16f 24285236
exactimage-dbg_0.8.5-5+deb7u2_amd64.deb
a044042c6cf3bef1041298d862942924243e690a 727046
libexactimage-perl_0.8.5-5+deb7u2_amd64.deb
995f04b63000aacf6b92d6bf4ec83a913f830c63 709818
php5-exactimage_0.8.5-5+deb7u2_amd64.deb
dc0ca94e2f87f77f92e3d86a2ffc0ed14a9ad530 1408148
python-exactimage_0.8.5-5+deb7u2_amd64.deb
Checksums-Sha256:
839775db6abca3d0ab6c573e2c6045c0d87702be0b6cc2ec11d1e95e7facd1c2 2102
exactimage_0.8.5-5+deb7u2.dsc
c5f3bdb28bfffc916bab75cd99817b92cd1364cdec870be80f0de153d43318a8 283873
exactimage_0.8.5.orig.tar.bz2
1c18e2f0e79207caf709f5a9ae46553f462097541224f32640ede2958fb21969 29506
exactimage_0.8.5-5+deb7u2.debian.tar.gz
afc7ac40b9425631fc0760f3b0255d0183c3f7c59e0ee4c922dfc39bb5b90496 4282506
exactimage_0.8.5-5+deb7u2_amd64.deb
665c8922b4aebbbe89a142b6489efd170314d5e6dc3b89c5c5f148487390fe34 616158
edisplay_0.8.5-5+deb7u2_amd64.deb
054212abfec612453eae95cae11d8fc5e64905634d1781208d7bd12635e95a3d 24285236
exactimage-dbg_0.8.5-5+deb7u2_amd64.deb
fa2e60f1d67f17c050301050a6a6ea639dfa12916e53e0274680b4171492203d 727046
libexactimage-perl_0.8.5-5+deb7u2_amd64.deb
7f9620f45b4148da6d2c4201df14cc81e2c3bb205b59e194b56ba987dc32c139 709818
php5-exactimage_0.8.5-5+deb7u2_amd64.deb
9454adea77fd10f2e5e04ef3e3530020a15e638d158f55e66ed65ac9036dc132 1408148
python-exactimage_0.8.5-5+deb7u2_amd64.deb
Files:
070b3a459f190f9d755a0d4f62c253de 2102 graphics optional
exactimage_0.8.5-5+deb7u2.dsc
54c5dc9afd86ec573e7e2e9a80f45c71 283873 graphics optional
exactimage_0.8.5.orig.tar.bz2
6e5cc13414dbd1cabae8070920b7addd 29506 graphics optional
exactimage_0.8.5-5+deb7u2.debian.tar.gz
9d7f75ce4e651a7f5d58cbf449bd267e 4282506 graphics optional
exactimage_0.8.5-5+deb7u2_amd64.deb
a6c6e990caff8428cd7d09b1d7a825c2 616158 graphics optional
edisplay_0.8.5-5+deb7u2_amd64.deb
80374862c4b35967e062721c3e102c8e 24285236 debug extra
exactimage-dbg_0.8.5-5+deb7u2_amd64.deb
b22763321043587e41c1af7157be8016 727046 perl optional
libexactimage-perl_0.8.5-5+deb7u2_amd64.deb
d8d0c61c49476164c193ed5f22db60eb 709818 php optional
php5-exactimage_0.8.5-5+deb7u2_amd64.deb
bb9ca89b606a359aaf6d89613dc77a6f 1408148 python optional
python-exactimage_0.8.5-5+deb7u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJSIg6KAAoJEL97/wQC1SS+v7YIAIchqSGGWX9Pt6oVYxOIUu3a
glFsHxcQYTzWPUSZOg6JGA5P2RinI5ZIm0nLTucqzE9BK8/6pXQwD3gZ6AopjYjT
OcveK74peud9HIL78VGJydjsd4NrSHmNqPcank9o9M+x9epm06K5DdCI6dOumBN+
nHeYZqpkAxsu/I2TB7ea3WtXf8jty4mhSYXdQZf9TpqPeVREYd56EIFRI8wqVOQc
mnNEtnH1i4+yCY2L/HyQG5HgMvBx5TMldSiH6ofWFeymwwoZLSfqib8ZQ02VU/IP
wL7Qtc07smtOyYDqKdt4KEuqWw6ooTCMa4gCdSA4I2fehEOVJ4QKAPTsOVmm9fE=
=r0jQ
-----END PGP SIGNATURE-----
--- End Message ---
