Your message dated Sun, 01 Sep 2013 21:50:50 +0000
with message-id <[email protected]>
and subject line Bug#721236: fixed in exactimage 0.8.1-3+deb6u2
has caused the Debian Bug report #721236,
regarding CVE-2013-1438: exactimage: multiple vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
721236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721236
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libraw
Severity: important
Tags: security
Control: clone -1 -2 -3 -4 -5 -6 -7 -8 -9
Control: retitle -1 CVE-2013-1438: libraw: multiple vulnerabilities
Control: retitle -2 CVE-2013-1438: dcraw: multiple vulnerabilities
Control reassign -2 dcraw
Control: retitle -3 CVE-2013-1438: darktable: multiple vulnerabilities
Control reassign -3 darktable
Control: retitle -4 CVE-2013-1438: ufraw: multiple vulnerabilities
Control reassign -4 ufraw
Control: retitle -5 CVE-2013-1438: xbmc: multiple vulnerabilities
Control reassign -5 src:xbmc
Control: retitle -6 CVE-2013-1438: exactimage: multiple vulnerabilities
Control reassign -6 exactimage
Control: retitle -7 CVE-2013-1438: rawstudio: multiple vulnerabilities
Control reassign -7 rawstudio
Control: retitle -8 CVE-2013-1438: rawtherapee: multiple vulnerabilities
Control reassign -8 rawtherapee
Control: retitle -9 CVE-2013-1438: libkdcraw: multiple vulnerabilities
Control reassign -9 libkdcraw
Hi,
I found a few vulnerabilities in dcraw and are all covered by the
CVE-2013-1438 id:
"Specially crafted photo files may trigger a division by zero, an
infinite loop, or a null pointer dereference."
Alex Tutubalin, libraw upstream, has patched the vulnerabilities in
libraw and the patches should apply as-is to the vast majority of
embedders. For the details
http://www.openwall.com/lists/oss-security/2013/08/29/3
Please include the CVE id when fixing these vulnerabilities and
consider fixing them in old/stable via a {O,}SPU by following standard
procedures for stable release updates.
P.S. yes, the above Control list is annoying, but so is having so many
copies of the same code base in the archive.
Thanks,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
Source: exactimage
Source-Version: 0.8.1-3+deb6u2
We believe that the bug you reported is fixed in the latest version of
exactimage, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sven Eckelmann <[email protected]> (supplier of updated exactimage package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 29 Aug 2013 17:16:53 +0200
Source: exactimage
Binary: exactimage exactimage-dbg libexactimage-perl exactimage-perl
php5-exactimage python-exactimage
Architecture: source amd64 all
Version: 0.8.1-3+deb6u2
Distribution: oldstable-security
Urgency: high
Maintainer: Jakub Wilk <[email protected]>
Changed-By: Sven Eckelmann <[email protected]>
Description:
exactimage - fast image manipulation programs
exactimage-dbg - fast image manipulation library (debug symbols)
exactimage-perl - transitional dummy package
libexactimage-perl - fast image manipulation library (Perl bindings)
php5-exactimage - fast image manipulation library (PHP bindings)
python-exactimage - fast image manipulation library (Python bindings)
Closes: 721236
Changes:
exactimage (0.8.1-3+deb6u2) oldstable-security; urgency=high
.
* Add debian/patches/CVE-2013-1438.patch,
Fix CVE-2013-1438: multiple denial of service vulnerabilities
(Closes: #721236)
Checksums-Sha1:
4b2aca2eefe297d6ff58aa584ce30b8563795874 1892 exactimage_0.8.1-3+deb6u2.dsc
2aa8398d52b62cee5f62356fb81b0d1b8e7f6137 283660 exactimage_0.8.1.orig.tar.bz2
7b191351f3989d647c22b57ba059f5ddd9551450 17909
exactimage_0.8.1-3+deb6u2.debian.tar.gz
333395c4cf95427a1bfa818bf4d69623b459d1e9 3911120
exactimage_0.8.1-3+deb6u2_amd64.deb
6031e0da0b5188787db9658516846551f6606a4d 15737744
exactimage-dbg_0.8.1-3+deb6u2_amd64.deb
e59229eb900f620a5a21268e22aad89d31189f54 672314
libexactimage-perl_0.8.1-3+deb6u2_amd64.deb
cf88dc3e38a2d87b997da27d857311ef4b9c3136 6686
exactimage-perl_0.8.1-3+deb6u2_all.deb
35d5db10ecd72b73b859831c5c25e1b1e09d6076 652006
php5-exactimage_0.8.1-3+deb6u2_amd64.deb
46b0407996fb8c86c88fd8fb402be712c0be0b81 1286364
python-exactimage_0.8.1-3+deb6u2_amd64.deb
Checksums-Sha256:
581829851ecd08c68fcc116b614400478ee38c8d01ec6bcefd536025f5be0674 1892
exactimage_0.8.1-3+deb6u2.dsc
926a09c897489705ba42daeb01fc4a3c327a8194dc65431f630d50684390e28b 283660
exactimage_0.8.1.orig.tar.bz2
e7882c53ef0b4d70890e9c9a70e602b93e70aaa0207b8442579b91647260f471 17909
exactimage_0.8.1-3+deb6u2.debian.tar.gz
ffb26c1803cbccc2906ea7962f621ec35e60a2fad82e3efa1910594d372c2399 3911120
exactimage_0.8.1-3+deb6u2_amd64.deb
b9e288681a36f8efe977678c2bb7c1491e4ef50d41a217f6d831bfd9b8fb9c9d 15737744
exactimage-dbg_0.8.1-3+deb6u2_amd64.deb
26b7d7f7d5d1baa24a60d04d2625be926c95c106450eca72b0a3c85e7175d978 672314
libexactimage-perl_0.8.1-3+deb6u2_amd64.deb
b317aa41431797b458fabb03bcfa959e592e8505e6f68b33be6525e464559443 6686
exactimage-perl_0.8.1-3+deb6u2_all.deb
3753ecb811b81e129ce97c43ce1c9ed05ba8251b2cf2246490aa4bd9c88a8fe9 652006
php5-exactimage_0.8.1-3+deb6u2_amd64.deb
3b5c656c41258778ab44f65ce36c2e7d9685599ff70d176d8bfb318d4c2677ab 1286364
python-exactimage_0.8.1-3+deb6u2_amd64.deb
Files:
d51a2fa9d6f74d2af00170a1d8357ec4 1892 graphics optional
exactimage_0.8.1-3+deb6u2.dsc
f6c5a068a21a90c314ba557f0a601352 283660 graphics optional
exactimage_0.8.1.orig.tar.bz2
c722527f808151fd453cbdda4e99c0b4 17909 graphics optional
exactimage_0.8.1-3+deb6u2.debian.tar.gz
667bdee6715e1ccba2820a230ba23269 3911120 graphics optional
exactimage_0.8.1-3+deb6u2_amd64.deb
c8e616e4e63ed7a0b9dbb620e08fc398 15737744 debug extra
exactimage-dbg_0.8.1-3+deb6u2_amd64.deb
70d31a9db5c96d37f6dfac4ccb4f199b 672314 perl optional
libexactimage-perl_0.8.1-3+deb6u2_amd64.deb
ea1bd710a1529b53bde00c506e1cd320 6686 perl optional
exactimage-perl_0.8.1-3+deb6u2_all.deb
a15299e7d85e96589769ddcaf6f332f6 652006 php optional
php5-exactimage_0.8.1-3+deb6u2_amd64.deb
b1a9ff5a6c81d9f52557848e415c1174 1286364 python optional
python-exactimage_0.8.1-3+deb6u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJSIg6IAAoJEL97/wQC1SS++ckH/RAb1oKFXs/ndzZXBpB6PpdE
aFfyB9fjV9YksCXEN6w0Vo/MfOzfF2c97sjfUy+xNMQjwoAd5gZr7bUU1Y2DU3XK
r9tPucIxKz8glw27feyEbJ8dtY9MtxY31awLQ5aLuV3stlmEtSVDWF9vye/ucHd1
aClB/htAVX7xPJDczkM2ZKX9VAigzHTQ7T0QtmlDcX0ziP8I+58wngN+p0Hi0/1E
5KvaIjruQ7kI7pMKHn6xk69xNNOxe6EMWxaSMe+YPME5AnD19AAk2WdXK+59qO+j
hOFMI0tJ6g89FwmfegA/plpNAThslET12BhjGDw5yZGKDcgIOS6sqlsuy/L8vpA=
=EAK8
-----END PGP SIGNATURE-----
--- End Message ---
