--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libexif
User: [email protected]
Usertags: pu
[ Reason ]
This update attempt to fix all open CVEs for libexif.
[ Impact ]
If the update isn't approved, users will continue to be vulnerable to
CVE-2026-40386, CVE-2026-40385, CVE-2026-32775. Bullseye
users upgrading to Trixie will become vulnerable again.
[ Tests ]
Issues affect to specific hardware
[ Risks ]
All the changes are minor an easy to read the code.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
CVE-2026-40386: fix an integer underflow in a size check.
CVE-2026-40385: Add a check to avoid overflow in system with
32 bits unsigned int size_t.
CVE-2026-32775: Fix an integer undeflow in
mnote_pentax_entry_get_values(). This patch add a check
to verify that maxlen be at least 1.
diff -Nru libexif-0.6.25/debian/changelog libexif-0.6.25/debian/changelog
--- libexif-0.6.25/debian/changelog 2025-02-11 07:19:04.000000000 -0300
+++ libexif-0.6.25/debian/changelog 2026-04-17 07:48:04.000000000 -0300
@@ -1,3 +1,21 @@
+libexif (0.6.25-1+deb13u1) trixie; urgency=medium
+
+ * Team upload.
+ * d/patches/CVE-2026-40386.patch Add patch for CVE-2026-40386.
+ - An integer underflow in size checking for Fuji and Olympus MakerNote
+ decoding could be used by attackers to crash or leak information out
+ of libexif-using programs (Closes: #1133923).
+ * d/patches/CVE-2026-40385.patch: Add patch for CVE-2026-40385.
+ - An unsigned 32bit integer overflow in Nikon MakerNote handling could
+ be used by local attackers to cause crashes or information leaks.
+ (Closes: #1133922).
+ * d/patches/CVE-2026-32775.patch: Add patch for CVE-2026-32775.patch.
+ - If the exif_mnote_data_get_value function in MakerNotes gets passed
+ in a 0 size, the passed in-buffer would be overwritten due to an
+ integer underflow (Closes: #1131116).
+
+ -- Emmanuel Arias <[email protected]> Fri, 17 Apr 2026 07:48:04 -0300
+
libexif (0.6.25-1) unstable; urgency=medium
* New upstream version 0.6.25.
diff -Nru libexif-0.6.25/debian/patches/CVE-2026-32775.patch
libexif-0.6.25/debian/patches/CVE-2026-32775.patch
--- libexif-0.6.25/debian/patches/CVE-2026-32775.patch 1969-12-31
21:00:00.000000000 -0300
+++ libexif-0.6.25/debian/patches/CVE-2026-32775.patch 2026-04-17
07:33:27.000000000 -0300
@@ -0,0 +1,82 @@
+From: Marcus Meissner <[email protected]>
+Date: Mon, 9 Mar 2026 10:02:53 +0100
+Subject: [PATCH] check maxlen to be at least 1
+
+maxlen-- on 0 will become a high value.
+
+(likely found by AI)
+
+Fixes https://github.com/libexif/libexif/issues/247
+Bug-Debian: https://bugs.debian.org/1131116
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-32775
+---
+ libexif/apple/mnote-apple-entry.c | 2 ++
+ libexif/canon/mnote-canon-entry.c | 2 ++
+ libexif/fuji/mnote-fuji-entry.c | 1 +
+ libexif/olympus/mnote-olympus-entry.c | 2 ++
+ libexif/pentax/mnote-pentax-entry.c | 1 +
+ 5 files changed, 8 insertions(+)
+
+diff --git a/libexif/apple/mnote-apple-entry.c
b/libexif/apple/mnote-apple-entry.c
+index 36e002c5..0fa6bc24 100644
+--- a/libexif/apple/mnote-apple-entry.c
++++ b/libexif/apple/mnote-apple-entry.c
+@@ -45,6 +45,8 @@ mnote_apple_entry_get_value(MnoteAppleEntry *entry, char *v,
unsigned int maxlen
+
+ if (!entry)
+ return NULL;
++ if (maxlen < 1)
++ return NULL;
+
+ memset(v, 0, maxlen);
+ maxlen--;
+diff --git a/libexif/canon/mnote-canon-entry.c
b/libexif/canon/mnote-canon-entry.c
+index de0fac4f..2849d5ba 100644
+--- a/libexif/canon/mnote-canon-entry.c
++++ b/libexif/canon/mnote-canon-entry.c
+@@ -561,6 +561,8 @@ mnote_canon_entry_get_value (const MnoteCanonEntry *entry,
unsigned int t, char
+
+ if (!entry)
+ return NULL;
++ if (maxlen < 1)
++ return NULL;
+
+ data = entry->data;
+ size = entry->size;
+diff --git a/libexif/fuji/mnote-fuji-entry.c b/libexif/fuji/mnote-fuji-entry.c
+index 47e01ed5..5d9f16fd 100644
+--- a/libexif/fuji/mnote-fuji-entry.c
++++ b/libexif/fuji/mnote-fuji-entry.c
+@@ -201,6 +201,7 @@ mnote_fuji_entry_get_value (MnoteFujiEntry *entry,
+ int i, j;
+
+ if (!entry) return (NULL);
++ if (maxlen < 1) return NULL;
+
+ memset (val, 0, maxlen);
+ maxlen--;
+diff --git a/libexif/olympus/mnote-olympus-entry.c
b/libexif/olympus/mnote-olympus-entry.c
+index e5200bec..f938d409 100644
+--- a/libexif/olympus/mnote-olympus-entry.c
++++ b/libexif/olympus/mnote-olympus-entry.c
+@@ -286,6 +286,8 @@ mnote_olympus_entry_get_value (MnoteOlympusEntry *entry,
char *v, unsigned int m
+
+ if (!entry)
+ return (NULL);
++ if (maxlen < 1)
++ return NULL;
+
+ memset (v, 0, maxlen);
+ maxlen--;
+diff --git a/libexif/pentax/mnote-pentax-entry.c
b/libexif/pentax/mnote-pentax-entry.c
+index 46900c3a..0a6f87a1 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
++++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -317,6 +317,7 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ int i = 0, j = 0;
+
+ if (!entry) return (NULL);
++ if (maxlen < 1) return (NULL);
+
+ memset (val, 0, maxlen);
+ maxlen--;
diff -Nru libexif-0.6.25/debian/patches/CVE-2026-40385.patch
libexif-0.6.25/debian/patches/CVE-2026-40385.patch
--- libexif-0.6.25/debian/patches/CVE-2026-40385.patch 1969-12-31
21:00:00.000000000 -0300
+++ libexif-0.6.25/debian/patches/CVE-2026-40385.patch 2026-04-17
07:33:27.000000000 -0300
@@ -0,0 +1,29 @@
+From: Marcus Meissner <[email protected]>
+Date: Fri, 3 Apr 2026 11:18:47 +0200
+Subject: [PATCH] Avoid overflow on 32bit system when reading Nikon MakerNotes
+
+The addition o2 = datao + exif_get_long(buf + o2, n->order)
+could have overflowed on systems with 32bit unsigned int size_t.
+
+This could have caused out of bound reads of data, leading to
+misparsing of exif / crashes.
+
+Reported-By: Kerwin <[email protected]>
+Bug-Debian: https://bugs.debian.org/1133922
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40385
+---
+ libexif/olympus/exif-mnote-data-olympus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libexif/olympus/exif-mnote-data-olympus.c
b/libexif/olympus/exif-mnote-data-olympus.c
+index 428f365d..37f08ff1 100644
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -386,6 +386,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
+ o2 += 2;
+
+ /* Go to where the number of entries is. */
++ if (CHECKOVERFLOW(o2,buf_size,exif_get_long (buf + o2,
n->order))) return;
+ o2 = datao + exif_get_long (buf + o2, n->order);
+ break;
+
diff -Nru libexif-0.6.25/debian/patches/CVE-2026-40386.patch
libexif-0.6.25/debian/patches/CVE-2026-40386.patch
--- libexif-0.6.25/debian/patches/CVE-2026-40386.patch 1969-12-31
21:00:00.000000000 -0300
+++ libexif-0.6.25/debian/patches/CVE-2026-40386.patch 2026-04-17
07:33:27.000000000 -0300
@@ -0,0 +1,40 @@
+From: Marcus Meissner <[email protected]>
+Date: Thu, 2 Apr 2026 13:26:31 +0200
+Subject: [PATCH] fixed 2 unsigned integer underflows
+
+this could cause crashes or data leaks.
+
+Reported-by: Kerwin <[email protected]>
+Bug-Debian: https://bugs.debian.org/1133923
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40386
+---
+ libexif/fuji/exif-mnote-data-fuji.c | 2 +-
+ libexif/olympus/exif-mnote-data-olympus.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libexif/fuji/exif-mnote-data-fuji.c
b/libexif/fuji/exif-mnote-data-fuji.c
+index c28c541b..2dcb8775 100644
+--- a/libexif/fuji/exif-mnote-data-fuji.c
++++ b/libexif/fuji/exif-mnote-data-fuji.c
+@@ -70,7 +70,7 @@ exif_mnote_data_fuji_get_value (ExifMnoteData *d, unsigned
int i, char *val, uns
+ ExifMnoteDataFuji *n = (ExifMnoteDataFuji *) d;
+
+ if (!d || !val) return NULL;
+- if (i > n->count -1) return NULL;
++ if (i >= n->count) return NULL;
+ /*
+ exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataFuji",
+ "Querying value for tag '%s'...",
+diff --git a/libexif/olympus/exif-mnote-data-olympus.c
b/libexif/olympus/exif-mnote-data-olympus.c
+index a57af177..428f365d 100644
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -78,7 +78,7 @@ exif_mnote_data_olympus_get_value (ExifMnoteData *d,
unsigned int i, char *val,
+ ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) d;
+
+ if (!d || !val) return NULL;
+- if (i > n->count -1) return NULL;
++ if (i >= n->count) return NULL;
+ /*
+ exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
+ "Querying value for tag '%s'...",
diff -Nru libexif-0.6.25/debian/patches/series
libexif-0.6.25/debian/patches/series
--- libexif-0.6.25/debian/patches/series 1969-12-31 21:00:00.000000000
-0300
+++ libexif-0.6.25/debian/patches/series 2026-04-17 07:34:06.000000000
-0300
@@ -0,0 +1,3 @@
+CVE-2026-32775.patch
+CVE-2026-40385.patch
+CVE-2026-40386.patch
--- End Message ---
