Your message dated Thu, 30 Jan 2020 09:21:18 +0000 with message-id <e1ix60k-0008bv...@fasolo.debian.org> and subject line Bug#923472: fixed in exiv2 0.27.2-8 has caused the Debian Bug report #923472, regarding exiv2: CVE-2019-9143 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 923472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923472 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: exiv2 Version: 0.26-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/Exiv2/exiv2/issues/711 Hi, The following vulnerability was published for exiv2. CVE-2019-9143[0]: | An issue was discovered in Exiv2 0.27. There is infinite recursion at | Exiv2::Image::printTiffStructure in the file image.cpp. This can be | triggered by a crafted file. It allows an attacker to cause Denial of | Service (Segmentation fault) or possibly have unspecified other impact. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9143 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9143 [1] https://github.com/Exiv2/exiv2/issues/711 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: exiv2 Source-Version: 0.27.2-8 We believe that the bug you reported is fixed in the latest version of exiv2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 923...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pino Toscano <p...@debian.org> (supplier of updated exiv2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 30 Jan 2020 09:39:44 +0100 Source: exiv2 Architecture: source Version: 0.27.2-8 Distribution: unstable Urgency: medium Maintainer: Debian KDE Extras Team <pkg-kde-ext...@lists.alioth.debian.org> Changed-By: Pino Toscano <p...@debian.org> Closes: 923472 923473 936496 950183 Changes: exiv2 (0.27.2-8) unstable; urgency=medium . * Team upload. * Update symbols file from the logs of buildds. * Merge useful changes from 0.25-4: - add Maximiliano Curia as Uploader - adjust version of dbgsym migration * Drop the python:native build dependency, as it is not used. (Closes: #936496) * Sort install files. * Move the static libexiv2-xmp.a from libexiv2-27 to libexiv2-dev, as it is needed only for development - add proper breaks/replaces * The current way to build the API documentation is suboptimal: even in -indep builds a an -arch build is forced; also the separate doc build requires a custom patch, Instead: - move the common arguments for cmake to a variable to avoid duplication - pass -DEXIV2_BUILD_DOC=ON to enable the documentation build, unless on -arch builds - pass -DCMAKE_INSTALL_DOCDIR=/usr/share/doc/exiv2/html to cmake to change the installation directory of the documentation (mostly for the "html" part), and change libexiv2-doc.docs to pick it from that location - call the "doc" target in -indep builds - drop patch 0001-doc-only-build-target.patch, no more needed now * Remove patch numbers from patch files. * Backport upstream commits 4c28673b641d7eacb50baafb5c286f6900ce2002, and d4d4d766e9ade2376115eb41cc478eb195df1b39 to fix CVE-2019-9143 and CVE-2019-9144; patches Fix-issue-712.patch, and Add-comment-to-explain-choice-of-cut-off-value.patch. (Closes: #923472, #923473) * Backport upstream commit 1b917c3f7dd86336a9f6fda4456422c419dfe88c to fix CVE-2019-20421; patch Fix-1011-fix_1011_jp2_readmetadata_loop.patch. (Closes: #950183) * Add debian/source/include-binaries for the patches Fix-issue-712.patch, and Fix-1011-fix_1011_jp2_readmetadata_loop.patch, as they contain the binary testcases for the fixes. Checksums-Sha1: 0157d3a6857e9717705a7efaf54dacc4fca9948a 2254 exiv2_0.27.2-8.dsc 0ecfa62436e4f5019a710c824a99dd59f4852479 27656 exiv2_0.27.2-8.debian.tar.xz 55726d48528cb216e0e09b0f84af46d76641e74b 7232 exiv2_0.27.2-8_source.buildinfo Checksums-Sha256: aebebbe6355fb4edb2de3f29e61d0df52ef50ff2b8ae9cd44bd564d99d105402 2254 exiv2_0.27.2-8.dsc a22b9e410518c18608ddcf1837b4308a50debd3febcaf830b4d7aba5d78ce77d 27656 exiv2_0.27.2-8.debian.tar.xz f61c6b251a7189ddb5f89e99b0d7dd88a47aa5f90a13b8340401c76c7e30ba47 7232 exiv2_0.27.2-8_source.buildinfo Files: 2183a6ac406d2e37ccc08fca00ee5c9b 2254 graphics optional exiv2_0.27.2-8.dsc e30ad37f0dc0e8e03b13fdba59bb1dbe 27656 graphics optional exiv2_0.27.2-8.debian.tar.xz 6b29e724987472b532fab890cb588d32 7232 graphics optional exiv2_0.27.2-8_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXyqfuC+mweEHcAcHLRkciEOxP00FAl4ylnUACgkQLRkciEOx P03FuA/+JTRs9OpxdmZXzAUADBOT+nyy+aFsw2ttqiNAId81JBb2WenjR9a3NGLS Sf+4DApd5Aymj+Y6VVzaZxHhcymH6qjTofSxK3ckn/FD8Zk8oVM6e+MOysrmSgOh x30Wo+xUay2qQh9xJ9ujW7+HcR6iCU/ACqoGZhOYPV1KMSAwdYN/mj/OfDR2g5Ay R3aixB0bPmDob48AwWXpdpkdVLh2KBkcWEzhWBzgh8TdXujfJKLwEEFW8mUvB0FU 5AZ1v0dQNk3LitrElP23spKryNJvw5ITvezPRbkTPKFQcA8G8bIFmI6hVu7GxLb5 xZLtlsn/hu5zfRnVCXS3NiUs2DVvTl2lAS5g2FNsenY2z1Ai5uLzap9cKOGJj1V1 EtPX4pY4TM4RFUQcBXCoT4rBWOA0vuUo55an6dM4s63TYurwfIRRSSbGg4VTwVnu CESszQ8DyerwPtXQ1T3p7hB6uj9cNYmQFRJmor+mqKdRFu6xy3MqSqRttaCwYjsd o9JwdYIbkh2/IqSesyPfpK86jgfiYmC8t9tov8yq7lJqhScLAicEE20rjujduq2u 9meSh51USFJWJax07YZBq53EfiO1xJ3wMZIgoZKhYd4aWUTrcDmCVoLCp7+SdI15 nj+lbhG3l8EdtXX/4trSklNad7z1YpSbC8+Jd5jBCtnITJkyCyQ= =Chnp -----END PGP SIGNATURE-----
--- End Message ---
