Your message dated Sun, 31 Aug 2025 10:04:25 +0000
with message-id <[email protected]>
and subject line Bug#1112506: fixed in exiv2 0.28.7+dfsg-1
has caused the Debian Bug report #1112506,
regarding exiv2: CVE-2025-55304
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1112506: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112506
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: exiv2
Version: 0.28.5+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/Exiv2/exiv2/issues/3333
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for exiv2.
CVE-2025-55304[0]:
| Exiv2 is a C++ library and a command-line utility to read, write,
| delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-
| of-service was found in Exiv2 version 0.28.5: a quadratic algorithm
| in the ICC profile parsing code in jpegBase::readMetadata() can
| cause Exiv2 to run for a long time. The denial-of-service is
| triggered when Exiv2 is used to read the metadata of a crafted jpg
| image file. The bug is fixed in version 0.28.6.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-55304
https://www.cve.org/CVERecord?id=CVE-2025-55304
[1] https://github.com/Exiv2/exiv2/issues/3333
[2] https://github.com/Exiv2/exiv2/security/advisories/GHSA-m54q-mm9w-fp6g
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: exiv2
Source-Version: 0.28.7+dfsg-1
Done: Pino Toscano <[email protected]>
We believe that the bug you reported is fixed in the latest version of
exiv2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pino Toscano <[email protected]> (supplier of updated exiv2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 31 Aug 2025 11:38:44 +0200
Source: exiv2
Architecture: source
Version: 0.28.7+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian KDE Extras Team <[email protected]>
Changed-By: Pino Toscano <[email protected]>
Closes: 1112505 1112506
Changes:
exiv2 (0.28.7+dfsg-1) experimental; urgency=medium
.
* Team upload.
* New upstream release:
- fixes CVE-2025-54080 (Closes: #1112505)
- fixes CVE-2025-55304 (Closes: #1112506)
* Bump standards version to 4.7.2, no changes required.
* Update symbols file; the loss symbol is an internal function.
* Simplify GPL 2 license text in copyright.
Checksums-Sha1:
11b77acc28f6df17d515e448fa6ab3ad1c11184e 2408 exiv2_0.28.7+dfsg-1.dsc
5b4c860aeaf4d246f48a2efdb7650e098ff795ab 35618288 exiv2_0.28.7+dfsg.orig.tar.xz
60f6ce8d5bb91ad38376e99fe8f187131c92127a 24580
exiv2_0.28.7+dfsg-1.debian.tar.xz
1a4e996564944bf59d93a801e4ef9e3128edf4f5 7405
exiv2_0.28.7+dfsg-1_source.buildinfo
Checksums-Sha256:
a19e4c72216ed3036f3cdb8ea50833953b551519fbec8feaa95168d4a9a1ce23 2408
exiv2_0.28.7+dfsg-1.dsc
a02e34b3656cef7d36ab5949c31554eb5c51f77935944aacec6552d4ea551553 35618288
exiv2_0.28.7+dfsg.orig.tar.xz
a1044892e5bdf0908c3f72b7d3c9e1c88a8fc17aaa1864e51d76e88c35f7be5e 24580
exiv2_0.28.7+dfsg-1.debian.tar.xz
5e3faed45cfc836bed360460d87f13b6c5ab8ef1a50dd8f6ca2d93cc13a6387f 7405
exiv2_0.28.7+dfsg-1_source.buildinfo
Files:
3205444f1699de02d482025abea24580 2408 graphics optional exiv2_0.28.7+dfsg-1.dsc
e76d654099c55d037d92b1b6ae2865a9 35618288 graphics optional
exiv2_0.28.7+dfsg.orig.tar.xz
1ef6b1233e018c23f73f1309e3afb7d9 24580 graphics optional
exiv2_0.28.7+dfsg-1.debian.tar.xz
1fac6050c24bcf035b8087011f4731b9 7405 graphics optional
exiv2_0.28.7+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXyqfuC+mweEHcAcHLRkciEOxP00FAmi0GJkACgkQLRkciEOx
P00JkRAAqEjjtrnp+YtrxvvQOFpKIxvb8ZCOL8Q3KV0PjA/HHCjDNC0Z51gCm4oG
fn5PSX8WaTllCugy3Q73uNdM7YqOv+4ySIjICAGikQcDTEmPUesdNrLcxi42mXfI
K0ruG+oezdGd00+htNFuxA3YMhu7FMuVspi7fJy0S1QTEw+c6oVvEXa+3Xt5xv6G
G1RQJoXAmlrQQTocxANZ4RHfgu/R3az8HG8SNg7GYyesrObn04m4IY7PAxybMNYw
N3pehV7znrFPaCw5wJEvRL/cmlsn4hS3qGcl3otmdb1fxjJPBROjVfj+tgt+txW0
m8/lPmeS3FtcHhPtzWfiMLo3EDmPyQN0xlNVJZobA3HggoS8ElBW/HW3RAhcG7X/
drsHPbu1h9H0s+9lGEwmfH97BYDIOwdjVO1lgKuBduQZyqFTv+6iwzlp/IWyGuJ6
+DkmfXS0NHJC4PgEey0WCjhnWI+y5wJxWfuQd0+5JtYwAouDHBqTNPUqDdigXsbT
xSuzKTJ0fB/z7b1S1CQkrH9PdPtP1Y0WxoaRduSec0AX+Q6sFiS52gASNe+wZare
6ykux/Zw6Pqyprm/zQ0fX6Gi8TU+azhjE7e9DCPs8R47eKnfK2UMCZ6yz+iadICz
/Q0ZnJAPiOndNoxqm4W69aiEHNgQMJXuu5Vxt57t6n/C7VIwKg8=
=uuED
-----END PGP SIGNATURE-----
pgpeXDwt5dHKt.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
pkg-kde-extras mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-extras
