Your message dated Sat, 30 May 2020 19:17:08 +0000
with message-id <[email protected]>
and subject line Bug#961410: fixed in libexif 0.6.21-5.1+deb10u3
has caused the Debian Bug report #961410,
regarding libexif: CVE-2020-13114
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
961410: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961410
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libexif
Version: 0.6.21-8
Severity: important
Tags: security upstream
Control: found -1 0.6.21-7
Control: found -1 0.6.21-5.1+deb10u1
Control: found -1 0.6.21-5.1
Control: found -1 0.6.21-2+deb9u1
Control: found -1 0.6.21-2
Hi,
The following vulnerability was published for libexif.
CVE-2020-13114[0]:
| An issue was discovered in libexif before 0.6.22. An unrestricted size
| in handling Canon EXIF MakerNote data could lead to consumption of
| large amounts of compute time for decoding EXIF data.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-13114
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13114
[1]
https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libexif
Source-Version: 0.6.21-5.1+deb10u3
Done: Hugh McMaster <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libexif, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hugh McMaster <[email protected]> (supplier of updated libexif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 25 May 2020 22:01:18 +1000
Source: libexif
Architecture: source
Version: 0.6.21-5.1+deb10u3
Distribution: buster
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: Hugh McMaster <[email protected]>
Closes: 961407 961409 961410
Changes:
libexif (0.6.21-5.1+deb10u3) buster; urgency=medium
.
* Add upstream patches to fix multiple security issues:
- cve-2020-13112.patch: Fix MakerNote tag size overflow issues at
read time (CVE-2020-13112) (Closes: #961407).
- cve-2020-13113.patch: Ensure MakerNote data pointers are
NULL-initialized (CVE-2020-13113) (Closes: #961409).
- cve-2020-13114.patch: Add a failsafe on the maximum number of
Canon MakerNote subtags to catch extremely large values in tags
(CVE-2020-13114) (Closes: #961410).
Checksums-Sha1:
4f64cbc1a81d5be96fb00479c2ecc21a6328e672 2149 libexif_0.6.21-5.1+deb10u3.dsc
83d874919e5fcc94ec173d12b2ce37958a7d4833 17460
libexif_0.6.21-5.1+deb10u3.debian.tar.xz
bd1e28d228bc992c8182c687a4ef61f1e1e32996 7990
libexif_0.6.21-5.1+deb10u3_source.buildinfo
Checksums-Sha256:
f2bc9aa115afa6677af69104271c6bbfc3ee850d46c8ac44bf500e750ac42c08 2149
libexif_0.6.21-5.1+deb10u3.dsc
145cbc5d189453b5502b5e68d8fcacd9e9ecea25a8922b5ed4b363d5aec6b51a 17460
libexif_0.6.21-5.1+deb10u3.debian.tar.xz
44eebbc6b98605f26f5b008a81dba53dcd51583aebf1cae518f82bf7686742ca 7990
libexif_0.6.21-5.1+deb10u3_source.buildinfo
Files:
ff02ede5b25b6562df054bb1385bb90d 2149 libs optional
libexif_0.6.21-5.1+deb10u3.dsc
efd7d86ebd81ec4880288fa6101c08bb 17460 libs optional
libexif_0.6.21-5.1+deb10u3.debian.tar.xz
49d43370d4e9f504d71127350e2f7ab7 7990 libs optional
libexif_0.6.21-5.1+deb10u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl7PxkQACgkQmvRrMCV3
GzE3jhAAsWZk5rxKH4s3rAGAoeg6IR0YzT+CQEK5dK77Gc+5LHagQd8V2RkBpBt5
7W4UW3fev0Y9pngSbTTcfacbG99B/gGZ/74JlcmGacVC63qosMLSbSv3rz0uZfZ3
E53QA9UYIl+hha1EwdvjAME4VWxzcmc3GWbccQL6AzZtgBNuj5LqybZxMdUpyFnP
SbBY7F1bY+PFjpo6RdAXJG6ntOyTlsJO/23dKoVa3FjpuuMmdNF+rvNO3/oBqJYH
DggX8HQ4XDG2ucnCeGbEfN1SBqHwIDh+Is4x7dhMTf+NAgedwTgaG3B4I0Z4Wvl5
KAdXONFHF7UfmPhyisSxbVfnLP4L2JCMviUFNprAktyGUufqK5QePnjqrJ3z7vKY
Cw7Wt7gOLZPBM+eEDRCKsbtohOwi3v7R4bz9yCnCNe15rzlJG5eXVKe/KFQ4Lnj4
+IL3ByjwQJygb/Ozx1mxt+5gR6nYyBNkgwVscWLKW2OfrGx4OwRJUzApgudO0aIt
nRmOrNnuc22JFf/a80FqnYsp1X9E0cPAsntn7jdpYdfLaHJQ5KAdM+rwIQ7+t83K
rAx/vNnUvx4atsgS3HZy2Pi84VheZml2DczDwU+Afkj3p4SxK8I1AfcjF6OArAz6
vaW30uXUmB4HXaSmG7mAKXx2cNuHtZKCxEdysEqdzWdeGlRPTLM=
=6zSk
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-phototools-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-phototools-devel
