Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:libexif User: [email protected] Usertags: pu
[ Reason ] This update attempt to fix all open CVEs for libexif. [ Impact ] If the update isn't approved, users will continue to be vulnerable to CVE-2026-40386, CVE-2026-40385, CVE-2026-32775. Bullseye users upgrading to Trixie will become vulnerable again. [ Tests ] Issues affect to specific hardware [ Risks ] All the changes are minor an easy to read the code. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] CVE-2026-40386: fix an integer underflow in a size check. CVE-2026-40385: Add a check to avoid overflow in system with 32 bits unsigned int size_t. CVE-2026-32775: Fix an integer undeflow in mnote_pentax_entry_get_values(). This patch add a check to verify that maxlen be at least 1.
diff -Nru libexif-0.6.25/debian/changelog libexif-0.6.25/debian/changelog --- libexif-0.6.25/debian/changelog 2025-02-11 07:19:04.000000000 -0300 +++ libexif-0.6.25/debian/changelog 2026-04-17 07:48:04.000000000 -0300 @@ -1,3 +1,21 @@ +libexif (0.6.25-1+deb13u1) trixie; urgency=medium + + * Team upload. + * d/patches/CVE-2026-40386.patch Add patch for CVE-2026-40386. + - An integer underflow in size checking for Fuji and Olympus MakerNote + decoding could be used by attackers to crash or leak information out + of libexif-using programs (Closes: #1133923). + * d/patches/CVE-2026-40385.patch: Add patch for CVE-2026-40385. + - An unsigned 32bit integer overflow in Nikon MakerNote handling could + be used by local attackers to cause crashes or information leaks. + (Closes: #1133922). + * d/patches/CVE-2026-32775.patch: Add patch for CVE-2026-32775.patch. + - If the exif_mnote_data_get_value function in MakerNotes gets passed + in a 0 size, the passed in-buffer would be overwritten due to an + integer underflow (Closes: #1131116). + + -- Emmanuel Arias <[email protected]> Fri, 17 Apr 2026 07:48:04 -0300 + libexif (0.6.25-1) unstable; urgency=medium * New upstream version 0.6.25. diff -Nru libexif-0.6.25/debian/patches/CVE-2026-32775.patch libexif-0.6.25/debian/patches/CVE-2026-32775.patch --- libexif-0.6.25/debian/patches/CVE-2026-32775.patch 1969-12-31 21:00:00.000000000 -0300 +++ libexif-0.6.25/debian/patches/CVE-2026-32775.patch 2026-04-17 07:33:27.000000000 -0300 @@ -0,0 +1,82 @@ +From: Marcus Meissner <[email protected]> +Date: Mon, 9 Mar 2026 10:02:53 +0100 +Subject: [PATCH] check maxlen to be at least 1 + +maxlen-- on 0 will become a high value. + +(likely found by AI) + +Fixes https://github.com/libexif/libexif/issues/247 +Bug-Debian: https://bugs.debian.org/1131116 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-32775 +--- + libexif/apple/mnote-apple-entry.c | 2 ++ + libexif/canon/mnote-canon-entry.c | 2 ++ + libexif/fuji/mnote-fuji-entry.c | 1 + + libexif/olympus/mnote-olympus-entry.c | 2 ++ + libexif/pentax/mnote-pentax-entry.c | 1 + + 5 files changed, 8 insertions(+) + +diff --git a/libexif/apple/mnote-apple-entry.c b/libexif/apple/mnote-apple-entry.c +index 36e002c5..0fa6bc24 100644 +--- a/libexif/apple/mnote-apple-entry.c ++++ b/libexif/apple/mnote-apple-entry.c +@@ -45,6 +45,8 @@ mnote_apple_entry_get_value(MnoteAppleEntry *entry, char *v, unsigned int maxlen + + if (!entry) + return NULL; ++ if (maxlen < 1) ++ return NULL; + + memset(v, 0, maxlen); + maxlen--; +diff --git a/libexif/canon/mnote-canon-entry.c b/libexif/canon/mnote-canon-entry.c +index de0fac4f..2849d5ba 100644 +--- a/libexif/canon/mnote-canon-entry.c ++++ b/libexif/canon/mnote-canon-entry.c +@@ -561,6 +561,8 @@ mnote_canon_entry_get_value (const MnoteCanonEntry *entry, unsigned int t, char + + if (!entry) + return NULL; ++ if (maxlen < 1) ++ return NULL; + + data = entry->data; + size = entry->size; +diff --git a/libexif/fuji/mnote-fuji-entry.c b/libexif/fuji/mnote-fuji-entry.c +index 47e01ed5..5d9f16fd 100644 +--- a/libexif/fuji/mnote-fuji-entry.c ++++ b/libexif/fuji/mnote-fuji-entry.c +@@ -201,6 +201,7 @@ mnote_fuji_entry_get_value (MnoteFujiEntry *entry, + int i, j; + + if (!entry) return (NULL); ++ if (maxlen < 1) return NULL; + + memset (val, 0, maxlen); + maxlen--; +diff --git a/libexif/olympus/mnote-olympus-entry.c b/libexif/olympus/mnote-olympus-entry.c +index e5200bec..f938d409 100644 +--- a/libexif/olympus/mnote-olympus-entry.c ++++ b/libexif/olympus/mnote-olympus-entry.c +@@ -286,6 +286,8 @@ mnote_olympus_entry_get_value (MnoteOlympusEntry *entry, char *v, unsigned int m + + if (!entry) + return (NULL); ++ if (maxlen < 1) ++ return NULL; + + memset (v, 0, maxlen); + maxlen--; +diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c +index 46900c3a..0a6f87a1 100644 +--- a/libexif/pentax/mnote-pentax-entry.c ++++ b/libexif/pentax/mnote-pentax-entry.c +@@ -317,6 +317,7 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, + int i = 0, j = 0; + + if (!entry) return (NULL); ++ if (maxlen < 1) return (NULL); + + memset (val, 0, maxlen); + maxlen--; diff -Nru libexif-0.6.25/debian/patches/CVE-2026-40385.patch libexif-0.6.25/debian/patches/CVE-2026-40385.patch --- libexif-0.6.25/debian/patches/CVE-2026-40385.patch 1969-12-31 21:00:00.000000000 -0300 +++ libexif-0.6.25/debian/patches/CVE-2026-40385.patch 2026-04-17 07:33:27.000000000 -0300 @@ -0,0 +1,29 @@ +From: Marcus Meissner <[email protected]> +Date: Fri, 3 Apr 2026 11:18:47 +0200 +Subject: [PATCH] Avoid overflow on 32bit system when reading Nikon MakerNotes + +The addition o2 = datao + exif_get_long(buf + o2, n->order) +could have overflowed on systems with 32bit unsigned int size_t. + +This could have caused out of bound reads of data, leading to +misparsing of exif / crashes. + +Reported-By: Kerwin <[email protected]> +Bug-Debian: https://bugs.debian.org/1133922 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40385 +--- + libexif/olympus/exif-mnote-data-olympus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c +index 428f365d..37f08ff1 100644 +--- a/libexif/olympus/exif-mnote-data-olympus.c ++++ b/libexif/olympus/exif-mnote-data-olympus.c +@@ -386,6 +386,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + o2 += 2; + + /* Go to where the number of entries is. */ ++ if (CHECKOVERFLOW(o2,buf_size,exif_get_long (buf + o2, n->order))) return; + o2 = datao + exif_get_long (buf + o2, n->order); + break; + diff -Nru libexif-0.6.25/debian/patches/CVE-2026-40386.patch libexif-0.6.25/debian/patches/CVE-2026-40386.patch --- libexif-0.6.25/debian/patches/CVE-2026-40386.patch 1969-12-31 21:00:00.000000000 -0300 +++ libexif-0.6.25/debian/patches/CVE-2026-40386.patch 2026-04-17 07:33:27.000000000 -0300 @@ -0,0 +1,40 @@ +From: Marcus Meissner <[email protected]> +Date: Thu, 2 Apr 2026 13:26:31 +0200 +Subject: [PATCH] fixed 2 unsigned integer underflows + +this could cause crashes or data leaks. + +Reported-by: Kerwin <[email protected]> +Bug-Debian: https://bugs.debian.org/1133923 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40386 +--- + libexif/fuji/exif-mnote-data-fuji.c | 2 +- + libexif/olympus/exif-mnote-data-olympus.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c +index c28c541b..2dcb8775 100644 +--- a/libexif/fuji/exif-mnote-data-fuji.c ++++ b/libexif/fuji/exif-mnote-data-fuji.c +@@ -70,7 +70,7 @@ exif_mnote_data_fuji_get_value (ExifMnoteData *d, unsigned int i, char *val, uns + ExifMnoteDataFuji *n = (ExifMnoteDataFuji *) d; + + if (!d || !val) return NULL; +- if (i > n->count -1) return NULL; ++ if (i >= n->count) return NULL; + /* + exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataFuji", + "Querying value for tag '%s'...", +diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c +index a57af177..428f365d 100644 +--- a/libexif/olympus/exif-mnote-data-olympus.c ++++ b/libexif/olympus/exif-mnote-data-olympus.c +@@ -78,7 +78,7 @@ exif_mnote_data_olympus_get_value (ExifMnoteData *d, unsigned int i, char *val, + ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) d; + + if (!d || !val) return NULL; +- if (i > n->count -1) return NULL; ++ if (i >= n->count) return NULL; + /* + exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus", + "Querying value for tag '%s'...", diff -Nru libexif-0.6.25/debian/patches/series libexif-0.6.25/debian/patches/series --- libexif-0.6.25/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ libexif-0.6.25/debian/patches/series 2026-04-17 07:34:06.000000000 -0300 @@ -0,0 +1,3 @@ +CVE-2026-32775.patch +CVE-2026-40385.patch +CVE-2026-40386.patch
