Bug#991705: marked as done (exiv2: CVE-2021-29457)

[Debian Bug Tracking System]

Your message dated Fri, 27 Aug 2021 11:18:09 +0000
with message-id <e1mjzs9-000fhw...@fasolo.debian.org>
and subject line Bug#991705: fixed in exiv2 0.25-4+deb10u2
has caused the Debian Bug report #991705,
regarding exiv2: CVE-2021-29457
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
991705: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991705
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: exiv2
Version: 0.27.3-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/Exiv2/exiv2/issues/1529
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for exiv2.

CVE-2021-31291[0]:
| A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2
| 0.27.3 allows attackers to cause a denial of service (DOS) via crafted
| metadata.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-31291
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31291
[1] https://github.com/Exiv2/exiv2/issues/1529

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: exiv2
Source-Version: 0.25-4+deb10u2
Done: Moritz Mühlenhoff <j...@debian.org>

We believe that the bug you reported is fixed in the latest version of
exiv2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated exiv2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Aug 2021 11:46:33 +0200
Source: exiv2
Binary: exiv2 exiv2-dbgsym libexiv2-14 libexiv2-14-dbgsym libexiv2-dev 
libexiv2-doc
Architecture: source amd64 all
Version: 0.25-4+deb10u2
Distribution: buster-security
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-...@lists.debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Description:
 exiv2      - EXIF/IPTC/XMP metadata manipulation tool
 libexiv2-14 - EXIF/IPTC/XMP metadata manipulation library
 libexiv2-dev - EXIF/IPTC/XMP metadata manipulation library - development files
 libexiv2-doc - EXIF/IPTC/XMP metadata manipulation library - HTML documentation
Closes: 950183 986888 987277 991705 991706
Changes:
 exiv2 (0.25-4+deb10u2) buster-security; urgency=medium
 .
   * CVE-2021-31291 (Closes: #991705)
     The fix for CVE-2021-31291 also required to backport a few patches that
     fix some (harmless) CVEs alongside:
       - CVE-2019-20421 (Closes: #950183)
       - CVE-2021-3482  (Closes: #986888)
       - CVE-2021-29457 (Closes: #987277)
       - CVE-2021-29473 (Closes: #991705)
   * CVE-2021-31292 (Closes: #991706)
Checksums-Sha1:
 20fe91053ed189f21c61cece1801e599131e017c 2269 exiv2_0.25-4+deb10u2.dsc
 adb8ffe63916e7c27bda9792e690d1330ec7273d 5434325 exiv2_0.25.orig.tar.gz
 44f6e83f5bb1a770ecaa12850eec38dd593aa10f 30956 
exiv2_0.25-4+deb10u2.debian.tar.xz
 e7475432b51b041a116fe5e937b8454f10e7aabb 775632 
exiv2-dbgsym_0.25-4+deb10u2_amd64.deb
 ad766cb67ffdd91dc439c388baf9c1752bdedefe 9565 
exiv2_0.25-4+deb10u2_amd64.buildinfo
 e9b0c3d94d9a7606194ff8f5bbc8892db6c58edd 107560 exiv2_0.25-4+deb10u2_amd64.deb
 d58f725ed3373b935a40b4828ec61d83676cc231 8149720 
libexiv2-14-dbgsym_0.25-4+deb10u2_amd64.deb
 4fb1c86964b11fe1cecf1fa579cbc423402edb1a 698600 
libexiv2-14_0.25-4+deb10u2_amd64.deb
 31e86150890f2a53115edb24a5bb1c0e644c8e90 1556576 
libexiv2-dev_0.25-4+deb10u2_amd64.deb
 61399578f80ffb19c257105b66a00e997b6a1508 20850276 
libexiv2-doc_0.25-4+deb10u2_all.deb
Checksums-Sha256:
 388d7495dca737428054c63e3ba90a05e324c28578c5787f2ff3519ba128c5fc 2269 
exiv2_0.25-4+deb10u2.dsc
 c80bfc778a15fdb06f71265db2c3d49d8493c382e516cb99b8c9f9cbde36efa4 5434325 
exiv2_0.25.orig.tar.gz
 0f22655ad499876c1b52f3cfb3dfc377f1ea76e1b5e7ee5820fafef934abfc1c 30956 
exiv2_0.25-4+deb10u2.debian.tar.xz
 5718d821afcbe3077e177adc74b68fba039cd1806ae100777196a746b3d79ad1 775632 
exiv2-dbgsym_0.25-4+deb10u2_amd64.deb
 c3b7e38b28a1cf318287e96899091577aa79b57c38dac5d8b2b9519b9355266a 9565 
exiv2_0.25-4+deb10u2_amd64.buildinfo
 b3cbc0d694965864fef0b341ca0b293f976bd36d48c3032446a66c4164f1b9ca 107560 
exiv2_0.25-4+deb10u2_amd64.deb
 9747b044d1d8ead04b66986918ab28829145d9dfd21f6bdfeb488e12d770cc23 8149720 
libexiv2-14-dbgsym_0.25-4+deb10u2_amd64.deb
 297790599971f5951e787f2e0f502659b00fceb3adf0d3b528b8a869bdf42af0 698600 
libexiv2-14_0.25-4+deb10u2_amd64.deb
 3964d4b6440330e4398bf55f934947cdac2a0456664729f68a8cd0f723209951 1556576 
libexiv2-dev_0.25-4+deb10u2_amd64.deb
 04dfec7565fbddf740521a799567e379eebbaeaaad135373d40141f28a6a1d1a 20850276 
libexiv2-doc_0.25-4+deb10u2_all.deb
Files:
 2086ccb7255429d6860bc7c7d1d96907 2269 graphics optional 
exiv2_0.25-4+deb10u2.dsc
 258d4831b30f75a01e0234065c6c2806 5434325 graphics optional 
exiv2_0.25.orig.tar.gz
 1c5af3abc1f5ef9440a03ce5783be79f 30956 graphics optional 
exiv2_0.25-4+deb10u2.debian.tar.xz
 07a52f76bbdc61ebf0715d034762f163 775632 debug optional 
exiv2-dbgsym_0.25-4+deb10u2_amd64.deb
 50dbf38671f48adcf4cfeef508a52133 9565 graphics optional 
exiv2_0.25-4+deb10u2_amd64.buildinfo
 a19154e2dd7d237b6e3f6c0fb21b02a5 107560 graphics optional 
exiv2_0.25-4+deb10u2_amd64.deb
 36121ec8636f65bf3e6e9dbbc2ae10e3 8149720 debug optional 
libexiv2-14-dbgsym_0.25-4+deb10u2_amd64.deb
 2299ddc10ad39340bed5cae72f0e4851 698600 libs optional 
libexiv2-14_0.25-4+deb10u2_amd64.deb
 d587c8ce4b1cd4cc06e0558c3bd55173 1556576 libdevel optional 
libexiv2-dev_0.25-4+deb10u2_amd64.deb
 27584ae2587ab2204a920fce3b710da8 20850276 doc optional 
libexiv2-doc_0.25-4+deb10u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmENEC0ACgkQEMKTtsN8
TjbDOQ//aAsFKaj9hcXS0VaknOBSN4B0+hQ/ulL4ho2cmn5srWOAPLHszHa0XvuO
VGBkv7ajfhNk3mAJUUu4/IaJftKJKp8ngc7vA/ktWUiS7mZ0deDePeXfo5ui0Z9J
f5n3iLuD1tA/0XchqflsRL8Wkya2xNx5QkCqGLcPWSbDhDI277sLw55/ILi1XeZ2
5OwIv0mPW697pICia+RM4nf43W0iN8+nUfy0mdbBgUbNsDlAqDP3Nt1V2w7gXcOP
N2z1088toFpl+cAwMiyeKHCECBjpJle3gDVgmARrSpH8etnfdN4NKZAq4iYOSi/Y
RSSB+RhBSrfMMqELJKfAxcoxkUB98L1tpvGN4UeQPXmzZD+svJm15W9sz71qYtub
QR8lJkXCujAyrrg7ffvmfDvClwPP2iMhTXJ7EaiLlQM9rSeE7692/6wO2Vfw28vU
lQ/eZdMD1uAU7DDuX5nhp/+dIzMRYtT/ZjlLN7Ou0oK2mjRnZYGgqgHtV7YETO6L
9WI+r1oJ/hT4AT0c+70GUGGOwq6HVp4H9EJxnf0G6vGlcySpKsy+L+Y89P1U2ofn
JZfWJbWDLK53ByEh2HqLp2HRVhEwvJnrxAQcRQIC8NgTlu9SJcOZGwlJT4gKE4VY
XysSV5lkHChU6ppBQigqj5HzaJtgJnHEXXBQ0BtmJ6yGusYpHn4=
=f5Tc
-----END PGP SIGNATURE-----

--- End Message ---