Bug#974608: gthumb uses internal libexiv2 functions to get the user comment
Control: reopen -1 Control: severity -1 important On Mon, 14 Dec 2020 23:32:16 +0100 Vincent Lefevre wrote: > Control: severity -1 serious > > According to the upstream libexiv2 maintainer, gthumb uses some > internal libexiv2 function, which means that an update of libexiv2 > can break it at any time, potentially introducing security issues. > > Note that a change of behavior could have already been seen with > the upgrade of libexiv2-27 to 0.27.3 with the appearance of spurious > data before the comment. > > The correct way to get the comment is > > std::string comment = Exiv2::CommentValue(value().toString()).comment()); I briefly read upstream's solution to the original problem [1]. It seems that upstream's solution was doing hardcoding, which does not look like the correct way. This solves the original issue for now, but I'm not sure whether things would break in the long run. Note that I'm not the maintainer of gthumb and my comment may be wrong. Anyway, I have backported upstream's fix in git trunk and pushed a new upload with new version (3.11.1-0.1) to clean things up. Meanwhile, I choose to downgrade the severity to important for now since we are getting close to release freeze and that libexiv2 is unlikely to break its API/ABI around this part again. This issue should be further investigated and get fixed in next release cycle, though. Thanks, Boyuan Yang [1] https://gitlab.gnome.org/GNOME/gthumb/-/commit/3bdb4f94ba37b410ac07c25b5c83e587b55482fd signature.asc Description: This is a digitally signed message part
Bug#974608: gthumb uses internal libexiv2 functions to get the user comment
Package: gthumb Version: 3:3.8.3-0.1 Followup-For: Bug #974608 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Fixed upstream 1 hour ago: https://gitlab.gnome.org/GNOME/gthumb/-/commit/3bdb4f94ba37b410ac07c25b5c83e587b55482fd See also: https://gitlab.gnome.org/GNOME/gthumb/-/issues/137 https://gitlab.gnome.org/GNOME/gthumb/-/issues/30 I haven't checked whether this can be backported to the 3.8.3 branch. Upgrading the Debian package to 3.11.1 might make more sense. - -- System Information: Debian Release: 10.7 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-13-amd64 (SMP w/8 CPU cores) Locale: LANG=fi_FI.utf8, LC_CTYPE=fi_FI.utf8 (charmap=UTF-8), LANGUAGE=fi_FI.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gthumb depends on: ii gsettings-desktop-schemas 3.28.1-1 ii gthumb-data 3:3.8.3-0.1 ii libbrasero-media3-1 3.12.2-5 ii libc6 2.28-10 ii libcairo2 1.16.0-4 ii libclutter-1.0-01.26.2+dfsg-10 ii libclutter-gtk-1.0-01.8.4-4 ii libexiv2-14 0.25-4+deb10u1 ii libgcc1 1:8.3.0-6 ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1 ii libgl1-mesa-dri 18.3.6-2+deb10u1 ii libglib2.0-02.58.3-2+deb10u2 ii libgstreamer-plugins-base1.0-0 1.14.4-2 ii libgstreamer1.0-0 1.14.4-1 ii libgtk-3-0 3.24.5-1 ii libjpeg62-turbo 1:1.5.2-2+deb10u1 ii libjson-glib-1.0-0 1.4.4-2 ii liblcms2-2 2.9-3 ii libpango-1.0-0 1.42.4-8~deb10u1 ii libpangocairo-1.0-0 1.42.4-8~deb10u1 ii libpng16-16 1.6.36-6 ii libraw190.19.2-2 ii librsvg2-2 2.44.10-2.1 ii libsecret-1-0 0.18.7-1 ii libsoup2.4-12.64.2-2 ii libstdc++6 8.3.0-6 ii libtiff54.1.0+git191117-2~deb10u1 ii libwebkit2gtk-4.0-372.30.4-1~deb10u1 ii libwebp60.6.1-2 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages gthumb recommends: ii libgphoto2-6 2.5.22-3 ii libgphoto2-port12 2.5.22-3 gthumb suggests no packages. - -- no debconf information -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAl/txdoACgkQrh+Cd8S0 17Z/Fg/+LtN/1HlY196Ud3lZKaZCbb4py9hYszATImYcOtY8/kzxWhMJXYPLEkEj WiiN2TxzWgXNTJWc8GLIUDC/bFI3ePculd5nn9c1kiVxP4+2lLXANxnwGUJS0mLb ssbNSO5asysFWYtV17b30qU6Nfc6FPmnbSbhpz24OfrKytRw/w+trtJCkv/6g18c PcVD8N050uXaJX7+cwyzZ1kjXyEcAzL7uCuNPlu8O9kZcTm7+7cMD4nufBLtNW4a cOC0/UigG/0L+hD//8sBq8FXdLrUvqStp1mffeGLy0k7yDFf9LMVO4kQmwLI6edQ s7SFagRj23pUn7Ibvp3EQUgFfDe7IPujsFVsNLCpir/IVRQBoTUbhHPopKsGaJkJ KddKqxT0DZ40yJVveDAN7EaIKSkSzoWJJ4F40vjYvMnW6XO+ZRIaOsbWgGaOVPdh HBxga3g/8X0xzlhkenStqnxliyTjvHzAa0H7e0Ka610/9Kc/6GmMc1QpEDmYuCbM jmmki3I3JWG5P6t+bo+8kMRhTr2wwohrL51kIctP6UqcN2YZphHLvjH+O736Q4IP WqFNJxb4ntiPbVi6ETLlRo/vjbNynIE70TEp6QVWPn4j9kpsR/jKlX9ElnILQfqd jBrTNMl15PDTahJZ01kmNAT5ZCygs9SKaOK0U02p50yjz6MO+qE= =fi0x -END PGP SIGNATURE-