Your message dated Fri, 25 May 2007 09:02:08 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#424775: fixed in libexif 0.6.15-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libexif
Severity: grave
Tags: security
Justification: user security hole
A vulnerability has been found in libexif:
"Integer overflow in the exif_data_load_data_entry function in
exif-data.c in libexif before 0.6.14 allows user-assisted remote
attackers to cause a denial of service (crash) or possibly execute
arbitrary code via crafted EXIF data, involving the (1) doff or (2) s
variable."
See
http://sourceforge.net/tracker/index.php?func=detail&aid=1716196&group_id=12272&atid=112272
Please mention the CVE id in the changelog.
--- End Message ---
--- Begin Message ---
Source: libexif
Source-Version: 0.6.15-1
We believe that the bug you reported is fixed in the latest version of
libexif, which is due to be installed in the Debian FTP archive:
libexif-dev_0.6.15-1_i386.deb
to pool/main/libe/libexif/libexif-dev_0.6.15-1_i386.deb
libexif12_0.6.15-1_i386.deb
to pool/main/libe/libexif/libexif12_0.6.15-1_i386.deb
libexif_0.6.15-1.diff.gz
to pool/main/libe/libexif/libexif_0.6.15-1.diff.gz
libexif_0.6.15-1.dsc
to pool/main/libe/libexif/libexif_0.6.15-1.dsc
libexif_0.6.15.orig.tar.gz
to pool/main/libe/libexif/libexif_0.6.15.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Frederic Peters <[EMAIL PROTECTED]> (supplier of updated libexif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 25 May 2007 10:04:00 +0200
Source: libexif
Binary: libexif12 libexif-dev
Architecture: source i386
Version: 0.6.15-1
Distribution: unstable
Urgency: high
Maintainer: Frederic Peters <[EMAIL PROTECTED]>
Changed-By: Frederic Peters <[EMAIL PROTECTED]>
Description:
libexif-dev - library to parse EXIF files (development files)
libexif12 - library to parse EXIF files
Closes: 424775
Changes:
libexif (0.6.15-1) unstable; urgency=high
.
* New upstream release, with security fixes:
* Integer overflow in the exif_data_load_data_entry (CVE-2007-2645)
(closes: #424775)
* Don't dereference NULL (CID 4) (no assigned CVE)
* Don't parse Makernote when there is not enough data for
(makernote-irelevant) IFD1 (no assigned CVE)
* debian/patches/30_olympus_makernote.dpatch: merged upstream
* debian/patches/40_crash_looking_up_invalid_values.dpatch: merged upstream
* debian/patches/50_relibtoolize.dpatch: run libtoolize on sources
Files:
9a27e453d9589826398249525a84e347 610 libs optional libexif_0.6.15-1.dsc
01b8e0a2d4cd785246f0178f409b2dd2 991108 libs optional
libexif_0.6.15.orig.tar.gz
2b9ee349f27db1392c98a04e8ef59471 26930 libs optional libexif_0.6.15-1.diff.gz
b80b33f2c6f85ad114b2ac2baab531f6 143920 libdevel optional
libexif-dev_0.6.15-1_i386.deb
92e8d15dd0ef1fc8a5d54af7405cf59d 222688 libs optional
libexif12_0.6.15-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGVps+oR3LsWeD7V4RArIJAJ4vGtwLhpo2o1N/sgrmeFtnE7foXQCfbz8n
PEgXVmY+I4SLL5zJ2GyJ3ME=
=YOom
-----END PGP SIGNATURE-----
--- End Message ---
