Your message dated Thu, 10 Feb 2022 19:36:24 +0000 with message-id <e1nifeu-000dpo...@fasolo.debian.org> and subject line Bug#987736: fixed in exiv2 0.27.5-1 has caused the Debian Bug report #987736, regarding exiv2: CVE-2021-29473 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 987736: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987736 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: exiv2 Version: 0.27.3-3 Severity: important Tags: security upstream Forwarded: https://github.com/Exiv2/exiv2/pull/1587 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for exiv2. CVE-2021-29473[0]: | Exiv2 is a C++ library and a command-line utility to read, write, | delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of- | bounds read was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is | a command-line utility and C++ library for reading, writing, deleting, | and modifying the metadata of image files. The out-of-bounds read is | triggered when Exiv2 is used to write metadata into a crafted image | file. An attacker could potentially exploit the vulnerability to cause | a denial of service by crashing Exiv2, if they can trick the victim | into running Exiv2 on a crafted image file. Note that this bug is only | triggered when writing the metadata, which is a less frequently used | Exiv2 operation than reading the metadata. For example, to trigger the | bug in the Exiv2 command-line application, you need to add an extra | command-line argument such as `insert`. The bug is fixed in version | v0.27.4. Please see our security policy for information about Exiv2 | security. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-29473 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473 [1] https://github.com/Exiv2/exiv2/security/advisories/GHSA-7569-phvm-vwc2 [2] https://github.com/Exiv2/exiv2/pull/1587 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: exiv2 Source-Version: 0.27.5-1 Done: Sandro Knauß <he...@debian.org> We believe that the bug you reported is fixed in the latest version of exiv2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 987...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sandro Knauß <he...@debian.org> (supplier of updated exiv2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 10 Feb 2022 20:05:47 +0100 Source: exiv2 Architecture: source Version: 0.27.5-1 Distribution: unstable Urgency: medium Maintainer: Debian KDE Extras Team <pkg-kde-ext...@lists.alioth.debian.org> Changed-By: Sandro Knauß <he...@debian.org> Closes: 986888 987277 987450 987736 988241 988242 988481 988731 992705 992706 992707 1000788 Changes: exiv2 (0.27.5-1) unstable; urgency=medium . * Team upload. . [ Simon Schmeisser ] * New upstream release (Closes: #1000788): - fixes CVE-2021-29458 (Closes: #987277) - fixes CVE-2021-29463 (Closes: #988241) - fixes CVE-2021-29464 (Closes: #988242) - fixes CVE-2021-29470 (Closes: #987450) - fixes CVE-2021-29473 (Closes: #987736) - fixes CVE-2021-29623 (Closes: #988481) - fixes CVE-2021-32617 (Closes: #988731) - fixes CVE-2021-32815 (Closes: #992705) - fixes CVE-2021-34334 (Closes: #992706) - fixes CVE-2021-34335 (Closes: #992707) - fixes CVE-2021-3482 (Closes: #986888) - fixes CVE-2021-37615 - fixes CVE-2021-37616 - fixes CVE-2021-37618 - fixes CVE-2021-37619 - fixes CVE-2021-37620 - fixes CVE-2021-37621 - fixes CVE-2021-37622 - fixes CVE-2021-37623 * Remove patches that have been fixed upstream: - fix-man-page-table-formatting.patch - fcf-protection-only-on-x86.diff * Update symbols file . [ Sandro Knauß ] * Remove cruft dbg->dbgsym package dependency. * Bump Standards-Version to 4.6.0 (No changes needed). * Bump compat level to 13. * Bring copyright file in line with DEP-5. * Remove maxy from Uploaders list. * Cleanup copyright file. Checksums-Sha1: acbc18c49a933212bfbb00fa2de8b7d37ff0b713 2251 exiv2_0.27.5-1.dsc e55a8db2d55a251814a39385d364592f12927a7a 32407707 exiv2_0.27.5.orig.tar.gz 6909b3698da26ab0bf1762d6fc6d09fc4741b167 22496 exiv2_0.27.5-1.debian.tar.xz 08c086c6a24c156e025acbd613538a97650c2b85 7732 exiv2_0.27.5-1_source.buildinfo Checksums-Sha256: 3f382a9d1b86a0948762995f55bd3eb3dbbb65119103c9bfc2cd987173e94b76 2251 exiv2_0.27.5-1.dsc 1da1721f84809e4d37b3f106adb18b70b1b0441c860746ce6812bb3df184ed6c 32407707 exiv2_0.27.5.orig.tar.gz 4dc1ad1fd6c4e7fe0919d4577208c54a29fb217acf88be5a1597c467809590fd 22496 exiv2_0.27.5-1.debian.tar.xz 1d83ccb03d0a225bab203423857a9956fa500484a1fe1e1f11fc9ec9c834df8e 7732 exiv2_0.27.5-1_source.buildinfo Files: 08fcbfaba09655beab35bd55c63d63c7 2251 graphics optional exiv2_0.27.5-1.dsc 612b1b9ad1701120aef6ae1b6bab56bf 32407707 graphics optional exiv2_0.27.5.orig.tar.gz 49e22816224508c417ee2bc68a782ec9 22496 graphics optional exiv2_0.27.5-1.debian.tar.xz ed33d75b85d2ceab8656cc4e17f2eab2 7732 graphics optional exiv2_0.27.5-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEOewRoCAWtykmSRoG462wCFBgVjYFAmIFZZIRHGhlZmVlQGRl Ymlhbi5vcmcACgkQ462wCFBgVjY0TBAAhGmOSOuaJQGvLa6cxqJajTdtX0JleJPX fhzIFeap80l0I1gJsUG0VkSYxOOuD9BZ5kteSt4k+zAP5sR/rrywg4vvknao4R/o +pNKyaMxu+i0uYCl2D14zqilOG3f1a9N4Wnhrvzhoz4RbtTilsVdGCMMdUR/dvXG 1qafoMnH+WiNO/gaFbvpd00TrYeQtFa5QLaSIm3pbEqJqSaHdh6HNYKPbOaHNCyb qfK9qSZORkMQJ6sub9rpemTnCTNu4jSBLZ2mA4g2ZOzmWro9Q20nmnuFRAVO0oFU wj4Vs/2Djf6BQDblbpGtrx5f0Z6eFoH7iszbZurvsvRHOixzDZVh71eb5H2iclAx RNN2cjk7TB4pujXz3EDdi2+y4wcWtZ5kDrn/5Bt3qotUFRNUznDeV30+0GA/nQeP nWNfDUanQdwq/PdEhrGtNAfaQTSfhJrjsoAunRfGtEnxP0NmxqSzXNPNafMuY+Qe 3jnLMer4TH/s8a0artC00Tith1tv3i58EEcVX/qy5zqtJYhKOzvHEQQ+NxLvmLVu 3gxpdYNlBEfzFgLfRwzjricGBcnjiBnKY6QFtQmM/yC6AHJA3SvwrVVr3iRi+oBK Lmxz5ll6sIpgDbOJfbi9PmeWgmoVC0pNkwQJp+YB1vRsKckpHKbOvzzwOV019YRT dwercuIdNAA= =512+ -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-kde-extras mailing list pkg-kde-extras@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-extras
