Debian Bug report logs - #424775
CVE-2007-2645: libexif 0.6.14 fixes security issue

version graph

Package: libexif; Maintainer for libexif is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>;

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Thu, 17 May 2007 09:54:02 UTC

Severity: grave

Tags: security

Found in versions 0.6.13-6, 0.6.13-5, 0.6.9-6

Fixed in version libexif/0.6.15-1

Done: Frederic Peters <fpeters@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Frederic Peters <fpeters@debian.org>:
Bug#424775; Package libexif. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Frederic Peters <fpeters@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2007-2645: libexif 0.6.14 fixes security issue
Date: Thu, 17 May 2007 11:51:03 +0200
Package: libexif
Severity: grave
Tags: security
Justification: user security hole

A vulnerability has been found in libexif:
"Integer overflow in the exif_data_load_data_entry function in
exif-data.c in libexif before 0.6.14 allows user-assisted remote
attackers to cause a denial of service (crash) or possibly execute
arbitrary code via crafted EXIF data, involving the (1) doff or (2) s
variable."

See
http://sourceforge.net/tracker/index.php?func=detail&aid=1716196&group_id=12272&atid=112272

Please mention the CVE id in the changelog.



Bug marked as found in version 0.6.13-6. Request was from Stefan Fritsch <sf@debian.org> to control@bugs.debian.org. (Thu, 17 May 2007 10:06:02 GMT) Full text and rfc822 format available.

Bug marked as found in version 0.6.13-5. Request was from Stefan Fritsch <sf@debian.org> to control@bugs.debian.org. (Thu, 17 May 2007 10:06:03 GMT) Full text and rfc822 format available.

Bug marked as found in version 0.6.9-6. Request was from Stefan Fritsch <sf@debian.org> to control@bugs.debian.org. (Thu, 17 May 2007 10:06:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#424775; Package libexif. Full text and rfc822 format available.

Acknowledgement sent to Frederic Peters <fpeters@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #16 received at 424775@bugs.debian.org (full text, mbox):

From: Frederic Peters <fpeters@debian.org>
To: Stefan Fritsch <sf@sfritsch.de>, 424775@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#424775: CVE-2007-2645: libexif 0.6.14 fixes security issue
Date: Thu, 24 May 2007 13:32:17 +0200
[Message part 1 (text/plain, inline)]
Hello security team (and sorry for being late, I was away and forgot
to mark me on vacation on db.debian.org),

Stefan Fritsch wrote:

> Package: libexif
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> A vulnerability has been found in libexif:
> "Integer overflow in the exif_data_load_data_entry function in
> exif-data.c in libexif before 0.6.14 allows user-assisted remote
> attackers to cause a denial of service (crash) or possibly execute
> arbitrary code via crafted EXIF data, involving the (1) doff or (2) s
> variable."
> 
> See
> http://sourceforge.net/tracker/index.php?func=detail&aid=1716196&group_id=12272&atid=112272
> 
> Please mention the CVE id in the changelog.

I prepared 0.6.13-5.etch.1 for upload, please find the interdiff
attached to this email (stripped of a copy of config.log that sneaked
in 0.6.13-5 diff).

I also backported other security related fixes that went in between
0.6.14 and 0.6.15 (but have not been announced).

libexif (0.6.13-5.etch.1) stable-security; urgency=high

  * Backported security fix from 0.6.14 and 0.6.15
    * Integer overflow in the exif_data_load_data_entry (CVE-2007-2645)
      (closes: #424775)
    * Don't dereference NULL (CID 4) (no assigned CVE)
    * Don't parse Makernote when there is not enough data for
      (makernote-irelevant) IFD1 (no assigned CVE)

 -- Frederic Peters <fpeters@debian.org>  Thu, 24 May 2007 13:01:20 +0200

Is this okay for upload ?


Regards,

        Frederic

[libexif-cve.inter.diff (text/x-diff, attachment)]
[libexif_0.6.13-5.etch.1.dsc (text/plain, attachment)]
[libexif_0.6.13-5.etch.1.diff.gz (application/x-gunzip, attachment)]
[Message part 5 (application/pgp-signature, inline)]

Reply sent to Frederic Peters <fpeters@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #21 received at 424775-close@bugs.debian.org (full text, mbox):

From: Frederic Peters <fpeters@debian.org>
To: 424775-close@bugs.debian.org
Subject: Bug#424775: fixed in libexif 0.6.15-1
Date: Fri, 25 May 2007 09:02:08 +0000
Source: libexif
Source-Version: 0.6.15-1

We believe that the bug you reported is fixed in the latest version of
libexif, which is due to be installed in the Debian FTP archive:

libexif-dev_0.6.15-1_i386.deb
  to pool/main/libe/libexif/libexif-dev_0.6.15-1_i386.deb
libexif12_0.6.15-1_i386.deb
  to pool/main/libe/libexif/libexif12_0.6.15-1_i386.deb
libexif_0.6.15-1.diff.gz
  to pool/main/libe/libexif/libexif_0.6.15-1.diff.gz
libexif_0.6.15-1.dsc
  to pool/main/libe/libexif/libexif_0.6.15-1.dsc
libexif_0.6.15.orig.tar.gz
  to pool/main/libe/libexif/libexif_0.6.15.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 424775@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frederic Peters <fpeters@debian.org> (supplier of updated libexif package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 25 May 2007 10:04:00 +0200
Source: libexif
Binary: libexif12 libexif-dev
Architecture: source i386
Version: 0.6.15-1
Distribution: unstable
Urgency: high
Maintainer: Frederic Peters <fpeters@debian.org>
Changed-By: Frederic Peters <fpeters@debian.org>
Description: 
 libexif-dev - library to parse EXIF files (development files)
 libexif12  - library to parse EXIF files
Closes: 424775
Changes: 
 libexif (0.6.15-1) unstable; urgency=high
 .
   * New upstream release, with security fixes:
     * Integer overflow in the exif_data_load_data_entry (CVE-2007-2645)
       (closes: #424775)
     * Don't dereference NULL (CID 4) (no assigned CVE)
     * Don't parse Makernote when there is not enough data for
       (makernote-irelevant) IFD1 (no assigned CVE)
   * debian/patches/30_olympus_makernote.dpatch: merged upstream
   * debian/patches/40_crash_looking_up_invalid_values.dpatch: merged upstream
   * debian/patches/50_relibtoolize.dpatch: run libtoolize on sources
Files: 
 9a27e453d9589826398249525a84e347 610 libs optional libexif_0.6.15-1.dsc
 01b8e0a2d4cd785246f0178f409b2dd2 991108 libs optional libexif_0.6.15.orig.tar.gz
 2b9ee349f27db1392c98a04e8ef59471 26930 libs optional libexif_0.6.15-1.diff.gz
 b80b33f2c6f85ad114b2ac2baab531f6 143920 libdevel optional libexif-dev_0.6.15-1_i386.deb
 92e8d15dd0ef1fc8a5d54af7405cf59d 222688 libs optional libexif12_0.6.15-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGVps+oR3LsWeD7V4RArIJAJ4vGtwLhpo2o1N/sgrmeFtnE7foXQCfbz8n
PEgXVmY+I4SLL5zJ2GyJ3ME=
=YOom
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 30 Jun 2007 07:59:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:01:26 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.