Your message dated Mon, 06 Nov 2023 22:04:38 +0000 with message-id <e1r07i2-00dpip...@fasolo.debian.org> and subject line Bug#1055470: fixed in exiv2 0.28.1+dfsg-1 has caused the Debian Bug report #1055470, regarding exiv2: CVE-2023-44398 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1055470: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055470 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: exiv2 Version: 0.28.0+dfsg-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for exiv2. CVE-2023-44398[0]: | Exiv2 is a C++ library and a command-line utility to read, write, | delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of- | bounds write was found in Exiv2 version v0.28.0. The vulnerable | function, `BmffImage::brotliUncompress`, is new in v0.28.0, so | earlier versions of Exiv2 are _not_ affected. The out-of-bounds | write is triggered when Exiv2 is used to read the metadata of a | crafted image file. An attacker could potentially exploit the | vulnerability to gain code execution, if they can trick the victim | into running Exiv2 on a crafted image file. This bug is fixed in | version v0.28.1. Users are advised to upgrade. There are no known | workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44398 https://www.cve.org/CVERecord?id=CVE-2023-44398 [1] https://github.com/Exiv2/exiv2/security/advisories/GHSA-hrw9-ggg3-3r4r Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: exiv2 Source-Version: 0.28.1+dfsg-1 Done: Pino Toscano <p...@debian.org> We believe that the bug you reported is fixed in the latest version of exiv2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1055...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pino Toscano <p...@debian.org> (supplier of updated exiv2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 06 Nov 2023 22:41:59 +0100 Source: exiv2 Architecture: source Version: 0.28.1+dfsg-1 Distribution: experimental Urgency: medium Maintainer: Debian KDE Extras Team <pkg-kde-ext...@lists.alioth.debian.org> Changed-By: Pino Toscano <p...@debian.org> Closes: 1055470 Changes: exiv2 (0.28.1+dfsg-1) experimental; urgency=medium . * Team upload. * New upstream release: - fixes CVE-2023-44398 (Closes: #1055470) * Update the patches: - upstream_avoid-LTO-issues.patch: drop, backported from upstream - upstream_asf-fix-GUID-reading-on-big-endian-platforms.patch: drop, backported from upstream - tests-do-not-hardcode-ENOENT.diff: drop, fixed upstream * Backport the upstream PR https://github.com/Exiv2/exiv2/pull/2819 to fix the installation of the CMake config files in the library directory; cmake-config-installdir.diff. Checksums-Sha1: e2364b3b8519821acb697f800dc6b5b43df54660 2408 exiv2_0.28.1+dfsg-1.dsc 450130470083fa6a4dd7776c6a8e5b082e722999 34896004 exiv2_0.28.1+dfsg.orig.tar.xz 05f95939142571cb91002ab3800d505e70bb7756 24348 exiv2_0.28.1+dfsg-1.debian.tar.xz 8cb14d5753ad84c44e538f22b46bc1f03067e8c4 7558 exiv2_0.28.1+dfsg-1_source.buildinfo Checksums-Sha256: 07082fe3bb8c622bd0bca36f7944631d85f80846588bb1e65a5bccd66c56a208 2408 exiv2_0.28.1+dfsg-1.dsc 118364fcb9c36cfecfb7f778eec632eab00ac7ac5ee817ef522d5e988ad752e8 34896004 exiv2_0.28.1+dfsg.orig.tar.xz fd71d327d3c639e005688a1f55d8225599bf98d8da6c26b0bc547224498d43be 24348 exiv2_0.28.1+dfsg-1.debian.tar.xz 7c9927940660a754e001f906c879b5369037f28dacb9127d57dc58f046a5aa9f 7558 exiv2_0.28.1+dfsg-1_source.buildinfo Files: fc44cdce8501f33dd223c2819c2a9007 2408 graphics optional exiv2_0.28.1+dfsg-1.dsc 390fba208547f77e859beec2fc264d46 34896004 graphics optional exiv2_0.28.1+dfsg.orig.tar.xz d0975304706ddb951f3612734ad35e86 24348 graphics optional exiv2_0.28.1+dfsg-1.debian.tar.xz cd80db2e00078b60ee62c99883395034 7558 graphics optional exiv2_0.28.1+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXyqfuC+mweEHcAcHLRkciEOxP00FAmVJXdkACgkQLRkciEOx P0082Q//cgjcd5ezSRn3YmQuNzZp+bUY1LqGuDX3uK8Q8C8A6CByKYv2eUk84wS3 K/w+MfCpoAPjs3dYi8BlWjLHCmJnrSwP4vfHDctQankgo7B3qTzOyYaPibKVA85A MFgkXGxKL9bgSke0CVFW9LMJP1KDthQgZ5hJUk/UpoiyXG5A6ZXYz9rq8HcoGLKU ZjHHqpz6uNyWp5QpGBpeP5AV+4JlJRA8mgeuSbkDrLk4zzCMttOkCeDVwiMtOUFV Hwh47Lltap19u9XMiltVgRa0yTyeDXvvSIOEyo6AKn2Kq7O5DbttqGocnVGdBvEE q9ItuQNMYSsaRByCLRGr9ztJVgaTXg/+eGB/TXQAjwW2Q6Luppvn8ovI9B1BKRdU japzK+Gz8ACbhW2bllJCnb2+9Wl1aLlZyO2edQKse++Ixo7dCwBvhDqO6Dei/ISK 94/dH0EFlMmTvEXQO7m0Av09uJRElqLfyxVx51Hwaconqyf9B0Pmb1EOs6p2kAS8 nrG2BBbmmM1cCX75QmL8sVc2IdGP/8jmnk2MgGNN+SVrRKiGuScITNLbJ+b8Eh5V gI8GugmjN2w4bWbmz6VJ/R4trka0fToMhsOve9YQaudsPtXkPhpt1f98VynGr6Rv fN/PQA6qH3dRtlsZRXh1Gu08PnXiGUNSN7L5z9K1zOgXHq5k+k4= =Wglw -----END PGP SIGNATURE-----
--- End Message ---
