Your message dated Sat, 08 Aug 2020 22:05:43 +0000
with message-id <[email protected]>
and subject line Bug#946341: fixed in exiv2 0.27.3-1
has caused the Debian Bug report #946341,
regarding exiv2: CVE-2019-17402
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946341: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946341
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: exiv2
Version: 0.25-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/Exiv2/exiv2/issues/1019
Control: found -1 0.25-3.1+deb9u1
Hi,
The following vulnerability was published for exiv2.
CVE-2019-17402[0]:
| Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in
| types.cpp when called from
| Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp,
| because there is no validation of the relationship of the total size
| to the offset and size.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-17402
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17402
[1] https://github.com/Exiv2/exiv2/issues/1019
[2] https://github.com/Exiv2/exiv2/issues/1026
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.3.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: exiv2
Source-Version: 0.27.3-1
Done: Pino Toscano <[email protected]>
We believe that the bug you reported is fixed in the latest version of
exiv2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pino Toscano <[email protected]> (supplier of updated exiv2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 08 Aug 2020 23:23:52 +0200
Source: exiv2
Architecture: source
Version: 0.27.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian KDE Extras Team <[email protected]>
Changed-By: Pino Toscano <[email protected]>
Closes: 946341 950631 957188
Changes:
exiv2 (0.27.3-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- fixes CVE-2019-17402 (Closes: #946341)
* Update the patches:
- fix-man-page-table-formatting.patch: refresh
- remove-execute-permission-bit-from-ini-test-sample.patch: not needed as
patch, it will be done with a simpler chmod
- Fix-issue-712.patch: drop, backported from upstream
- Add-comment-to-explain-choice-of-cut-off-value.patch: drop, backported
from upstream
- Fix-1011-fix_1011_jp2_readmetadata_loop.patch: drop, backported from
upstream
- drop debian/source/include-binaries, no more needed now
* Update symbols file. (Closes: #950631, #957188)
* Add Rules-Requires-Root: no.
* Append -Wno-deprecated-declarations to the CXXFLAGS: exiv2 uses
std::auto_ptr<> a lot, so avoid the lots of deprecation warnings.
* Remove the executable permissions from all the .ini files in libexiv2-doc.
* Explicitly add the gettext build dependency.
* Do not ship TODO in libexiv2-doc, as it is not useful for users.
Checksums-Sha1:
c17e216f935507d85f9499b10dcce72b65dd9acc 2263 exiv2_0.27.3-1.dsc
5f1b460b10171c3b12cd540d699e9b815f6f3058 26185201 exiv2_0.27.3.orig.tar.gz
b68f5a97be5a945d34bcee37333ae43514c2ea0b 24356 exiv2_0.27.3-1.debian.tar.xz
f6ab852faece237834b626929b550149d343dc82 6889 exiv2_0.27.3-1_source.buildinfo
Checksums-Sha256:
d73ad618efd5ba66c0fbe4f35ba48ee03b17e2bfc09b9e7b1680192984f29a9b 2263
exiv2_0.27.3-1.dsc
6398bc743c32b85b2cb2a604273b8c90aa4eb0fd7c1700bf66cbb2712b4f00c1 26185201
exiv2_0.27.3.orig.tar.gz
e8ed56b8475321cda20e8ab1fa77aa56ca4130a2e94a20ae131b1f3d86fb63cb 24356
exiv2_0.27.3-1.debian.tar.xz
6595457ba29377fdd004020c45baefe3ce64769314575ec84a0b3c47eedd0382 6889
exiv2_0.27.3-1_source.buildinfo
Files:
ebabe4268d8cb8ed08de05b70b2aa7aa 2263 graphics optional exiv2_0.27.3-1.dsc
652fe107af5b9ba6891b3887a96ed8be 26185201 graphics optional
exiv2_0.27.3.orig.tar.gz
6a19aa073afbc6dd220f0d52e78ebede 24356 graphics optional
exiv2_0.27.3-1.debian.tar.xz
6f065d5c620bb9271372d067127ab13b 6889 graphics optional
exiv2_0.27.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXyqfuC+mweEHcAcHLRkciEOxP00FAl8vGBYACgkQLRkciEOx
P00FvQ/+P360hM4YJVc0yuPy+DmqfZDo0r6An7ljVNruzQlRUAp5v3HSwscyVz9B
Hr/b40FcSOohSEX6kqsAM1BxaWzMov/LW5T8DZa7emiLKBMJdmoZBIG5PcfqE7+p
+N8tj9v1ogahYz9eI32zaKHSmdqxFaY/qW+x4myJHVyaq2HO0DQ1lmvfosMrtYwY
cxCb6rLARWIFQIdpKPN+xZEWD5ZNIW4AiiVIhuBA8LyOYgeCeoNpZ7p5Pps5hELT
G6GJzDqk/UaelBs8g368HhYML1UPiX7Buobdm3BwkaOGdtZj6Q7tg9xa5SnZ+km8
8ecDnulhy3kwTKIbluxT/YAJg7/LIxAPoRd819HRpR0+b4zmpOh7fLvbop+663gI
k7+oqZs4MuzgJZAmomNQmvZ3Qu1cmE9ggbtNwRP6H+d0imcGfVA+QGjv29TKfgYE
WShsbBvWVn9gSXZyLFcwx6ciZ8RQZO5zeWywrQviWlAA+X3e+K3g9T7xF2dE2x93
NDvzozY+WM9ULVhVoLO+L4PUUAxTaJ4LUsxZDPqEiBcVK6eCIWKI/6djRws93+HV
ZkBGB3xcmeA6PYu/7Qpib4Inh/qv1ChRkwnF9oy71cIyG3k6dVOb69p045rHI7PE
2O52G/wUG0aw1C/LNcrsc7md6I8G+u7PjfxcHVTuuxHcKKT72y4=
=8jni
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
pkg-kde-extras mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-extras
