Your message dated Sat, 09 May 2026 08:32:06 +0000
with message-id <[email protected]>
and subject line Bug#1133922: fixed in libexif 0.6.25-1+deb13u1
has caused the Debian Bug report #1133922,
regarding libexif: CVE-2026-40385
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133922: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133922
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libexif
Version: 0.6.25-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libexif.
CVE-2026-40385[0]:
| In libexif through 0.6.25, an unsigned 32bit integer overflow in
| Nikon MakerNote handling could be used by local attackers to cause
| crashes or information leaks. This only affects 32bit systems.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40385
https://www.cve.org/CVERecord?id=CVE-2026-40385
[1]
https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libexif
Source-Version: 0.6.25-1+deb13u1
Done: Emmanuel Arias <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libexif, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Arias <[email protected]> (supplier of updated libexif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 17 Apr 2026 07:48:04 -0300
Source: libexif
Architecture: source
Version: 0.6.25-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: Emmanuel Arias <[email protected]>
Closes: 1131116 1133922 1133923
Changes:
libexif (0.6.25-1+deb13u1) trixie; urgency=medium
.
* Team upload.
* d/patches/CVE-2026-40386.patch Add patch for CVE-2026-40386.
- An integer underflow in size checking for Fuji and Olympus MakerNote
decoding could be used by attackers to crash or leak information out
of libexif-using programs (Closes: #1133923).
* d/patches/CVE-2026-40385.patch: Add patch for CVE-2026-40385.
- An unsigned 32bit integer overflow in Nikon MakerNote handling could
be used by local attackers to cause crashes or information leaks.
(Closes: #1133922).
* d/patches/CVE-2026-32775.patch: Add patch for CVE-2026-32775.patch.
- If the exif_mnote_data_get_value function in MakerNotes gets passed
in a 0 size, the passed in-buffer would be overwritten due to an
integer underflow (Closes: #1131116).
Checksums-Sha1:
43fdb88452e4fc0c7cfb39222cc90bf6cd450331 2127 libexif_0.6.25-1+deb13u1.dsc
55158cf229aa8bd9809398bfa489844d25bd4567 13744
libexif_0.6.25-1+deb13u1.debian.tar.xz
c02dc31828a049b9a4931af183bc7385388cb36f 8971
libexif_0.6.25-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
807f8e0e2da5182d824808aa5a22e24c032be58ed951b23539d1c2aebb86b319 2127
libexif_0.6.25-1+deb13u1.dsc
ad1b1a2555cc911f8e04a601f2edeb4987f71846c6c9e827d52d460ff4a4bccf 13744
libexif_0.6.25-1+deb13u1.debian.tar.xz
53d834624afa536057ae1d14645b1cd426220aab32a0c3fb7c515ae0d014d18e 8971
libexif_0.6.25-1+deb13u1_amd64.buildinfo
Files:
f1f8f65f9d33f869baa974f61e849d41 2127 libs optional
libexif_0.6.25-1+deb13u1.dsc
a7a8b3422ab1bee54f1afc4cecd04f45 13744 libs optional
libexif_0.6.25-1+deb13u1.debian.tar.xz
64c8872e4342a79e7ea1a525a4223134 8971 libs optional
libexif_0.6.25-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEE3lnVbvHK7ir4q61+p3sXeEcY/EFAmn+W6ESHGVhbWFudUBk
ZWJpYW4ub3JnAAoJEPqd7F3hHGPxMYEP/iJUaHbpYFcS7WvFo3queQznJlX2IUCM
oXCMjkjHdAU/VhWZ35ADsm1qv+MkTkTi5VyJUCIfd11afHOSytVLrUuev1ErohZR
R4igtUNxDJ3Xa5ZhZuACniaqneYQsnUYMHIVp8Xd6wDTwIRe6XU3XgvAP9SpMi5d
L7tyrY2QlZOIhzdtk7yfgVuLVKZ+h8LJ6EEdoGzAUP8e7m8j7ENxAcK4ssoDCbno
BlYNLV1HzgfPq6EhK1IDs/wDrx5EeGMr8WNT3FmVaz0h9zIsCAuOpyj7BNlfUFx0
Me/eR6r6Dk2chaNOzMvbCqh1pwQjAep2rzHeZENuZuNOtz855/MR2olSXdImkG/i
q+V2HzmKwSBtFgBGbBkPp2WtcPyZZgL9rDk0Kjzo0+agQNl3NE2WYcXFPA/H4lLW
yx+/aLpVMCX/SZTO+FIyjz5uQIZE0x+uCbHMKTqAnaazdBNheQm6ZxNenQI9qC/t
MlxIkHDFm+mNEO1GplFQDwRPEQmQ0ztLJ6hGUgD8YgflJAIFiwdNoXhnn1pseZAi
domQT7krudFfBRGiR9e1imvCiuVQ8ouWckg9njGY8nqAZFpDp3fVBEYzYa9akhoC
UBcrxlEA/tkrWQJxEeJtOdR9WcRSbekLaoWhHMTsdTBetv+McE48ysXKZ+yupCdI
M9pcDOtpOyHs
=dQCP
-----END PGP SIGNATURE-----
pgpqmczYQGVnK.pgp
Description: PGP signature
--- End Message ---
