Your message dated Thu, 20 Feb 2025 07:04:26 +0000
with message-id <e1tl0bi-00dd8g...@fasolo.debian.org>
and subject line Bug#1098323: fixed in exiv2 0.28.4+dfsg-2
has caused the Debian Bug report #1098323,
regarding exiv2: CVE-2025-26623
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1098323: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098323
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: exiv2
Version: 0.28.4+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/Exiv2/exiv2/issues/3168
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for exiv2.
CVE-2025-26623[0]:
| Exiv2 is a C++ library and a command-line utility to read, write,
| delete and modify Exif, IPTC, XMP and ICC image metadata. A heap
| buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4.
| Versions prior to v0.28.0, such as v0.27.7, are **not** affected.
| Exiv2 is a command-line utility and C++ library for reading,
| writing, deleting, and modifying the metadata of image files. The
| heap overflow is triggered when Exiv2 is used to write metadata into
| a crafted image file. An attacker could potentially exploit the
| vulnerability to gain code execution, if they can trick the victim
| into running Exiv2 on a crafted image file. Note that this bug is
| only triggered when writing the metadata, which is a less frequently
| used Exiv2 operation than reading the metadata. For example, to
| trigger the bug in the Exiv2 command-line application, you need to
| add an extra command-line argument such as `fixiso`. The bug is
| fixed in version v0.28.5. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-26623
https://www.cve.org/CVERecord?id=CVE-2025-26623
[1] https://github.com/Exiv2/exiv2/issues/3168
[2] https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: exiv2
Source-Version: 0.28.4+dfsg-2
Done: Pino Toscano <p...@debian.org>
We believe that the bug you reported is fixed in the latest version of
exiv2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1098...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pino Toscano <p...@debian.org> (supplier of updated exiv2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 20 Feb 2025 07:48:47 +0100
Source: exiv2
Architecture: source
Version: 0.28.4+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian KDE Extras Team <pkg-kde-ext...@lists.alioth.debian.org>
Changed-By: Pino Toscano <p...@debian.org>
Closes: 1098323
Changes:
exiv2 (0.28.4+dfsg-2) unstable; urgency=medium
.
* Team upload.
* Backport upstream commit facce628f3622764e91a8161f89ade8cb34bc120 to
reintroduce the copy constructors for TIFF-related classes, fixing
CVE-2025-26623; patch upstream_Revert-fix-copy-constructors.patch.
(Closes: #1098323)
* Drop permission fixing of .ini files, as now they all have the right
permissions already.
* Move some cmake parameters directly in the dh_auto_configure invocation
rather than as a separate variable: there is no more double build, as
done in the past.
Checksums-Sha1:
658396840c13700a61be90dd44bb406bfc4c8b2d 2408 exiv2_0.28.4+dfsg-2.dsc
29f7665f2be69b1c780631165d706d235c8b8bc6 25372
exiv2_0.28.4+dfsg-2.debian.tar.xz
c8fc0301da75b75e939a97d2e09954e08e2a5ff5 7365
exiv2_0.28.4+dfsg-2_source.buildinfo
Checksums-Sha256:
e86ff761939bcef8eec0a38a7e88599dc5f5c59b25c8c087887d0af8e2f74c17 2408
exiv2_0.28.4+dfsg-2.dsc
7571ba6163a8b4ff9771850808d68f8a66e37fc6cf722673f05da637d595141e 25372
exiv2_0.28.4+dfsg-2.debian.tar.xz
091bb2f27aec2c3dd94c4c589079612afc18d3a65271865f44cec18ae019e089 7365
exiv2_0.28.4+dfsg-2_source.buildinfo
Files:
faf4c5208ee6abdc3db1db3a92b1f146 2408 graphics optional exiv2_0.28.4+dfsg-2.dsc
0fc4614b1cfc99d281236dcd6ba3283f 25372 graphics optional
exiv2_0.28.4+dfsg-2.debian.tar.xz
9f4d3f06c8b14db3275c398316d0beaf 7365 graphics optional
exiv2_0.28.4+dfsg-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXyqfuC+mweEHcAcHLRkciEOxP00FAme20KMACgkQLRkciEOx
P00lmQ/8CECoiiwrQf8WZuACprDsCuWYX8drEoFPUUPuu+Vc+x/0RLSox4IxXFxz
tkAbhr7WXlgIgYeCyCeF8upqjWBFUJ9qnAgiDxG5QpL6OVHzuDlZkUNUrDzLYpQI
YIwPBNGeLX9y/rcyAgmddXM2iAdaJfOj6qtVyH+dTnNydmSTfV66Upa/qJo6LgG1
s4CZff+DYd5Z8OEAjBeOUSN9rj3uUXzl2+mlNlCe88n3W+HYmYKcPWYNtJ2ZBajl
f6s8chqEseoaEVDhzKSLHOg+7J8FqW7F/5pa/c4XoQISq+c7Jvl66KSRHcosWdXn
vKA+Hr0mjwRBiYGl7kHMoKGm0lB5SNClmF7xjuMlSKI1ITcDtWLjpVEWKOjwIfe9
JcWoe1YD3QDEpKK152e7q4B5bUNKOpnBprvT6vdWSJVjRr5sS2vgJwwa82l7rc4u
2tkTfThYqbjAFe8RlmA7riCL52ts4rWwbqBKGDNj+5Se2JktDkfUub/SiplsNMEV
CcgKt2sQCcX/9s/yS+zl2bmq8a/r71JMmkIsA0RuNaJSeYqmmH8MrIIC/VRUG6bW
MSKENUegMeOdThU7sQmisdH8hijSpoTv8VfLEVsoLOv6b/hK7vRA4/mn2INTe/iS
fJ8T7bXhUrbuvYXJtw/udidbPo94jlxvB2GhkPPLi3nB44o0OWM=
=II4e
-----END PGP SIGNATURE-----
pgpRoejZGXQ66.pgp
Description: PGP signature
--- End Message ---
