libexif (0.6.21-5.1+deb10u5) buster-security; urgency=medium * Add upstream patch to prevent compiler optimization of a buffer overflow check (fixes CVE-2020-0452). -- Hugh McMaster Fri, 06 Nov 2020 23:15:26 +1100 libexif (0.6.21-5.1+deb10u4) buster; urgency=medium * Add upstream patches to fix two security issues: - Fix a buffer read overflow in exif_entry_get_value() (CVE-2020-0182). - Fix an unsigned integer overflow in libexif/exif-data.c (CVE-2020-0198) (Closes: #962345). -- Hugh McMaster Wed, 24 Jun 2020 23:31:09 +1000 libexif (0.6.21-5.1+deb10u3) buster; urgency=medium * Add upstream patches to fix multiple security issues: - cve-2020-13112.patch: Fix MakerNote tag size overflow issues at read time (CVE-2020-13112) (Closes: #961407). - cve-2020-13113.patch: Ensure MakerNote data pointers are NULL-initialized (CVE-2020-13113) (Closes: #961409). - cve-2020-13114.patch: Add a failsafe on the maximum number of Canon MakerNote subtags to catch extremely large values in tags (CVE-2020-13114) (Closes: #961410). -- Hugh McMaster Mon, 25 May 2020 22:01:18 +1000 libexif (0.6.21-5.1+deb10u2) buster; urgency=medium [ Mike Gabriel ] * Sponsored upload. * debian/patches: Trivial rebase of various patches. [ Hugh McMaster ] * Team upload. * Add upstream patches to fix two security issues: - cve-2020-12767.patch: Prevent some possible division-by-zero errors in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199). - cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093). -- Mike Gabriel Thu, 21 May 2020 11:26:42 +0200 libexif (0.6.21-5.1+deb10u1) buster-security; urgency=high * Non-maintainer upload by the Security Team. * Fix out of bound write in exif-data.c (CVE-2019-9278) (Closes: #945948) -- Salvatore Bonaccorso Sat, 01 Feb 2020 21:43:18 +0100 libexif (0.6.21-5.1) unstable; urgency=medium * Non-maintainer upload. * Reduce maximum recursion depth in exif_data_load_data_content * Improve deep recursion detection in exif_data_load_data_content (CVE-2018-20030) (Closes: #918730) -- Salvatore Bonaccorso Sun, 10 Feb 2019 14:59:33 +0100 libexif (0.6.21-5) unstable; urgency=medium * Team upload. * debhelper update: - Update package compatibility to level 11. * debian/changelog: - Remove trailing whitespace. * debian/control: - Build-Depend on debhelper version 11. - Raise Standards-Version from 4.1.1 to 4.1.3 (no changes needed). - Update the Homepage field to point to https://libexif.github.io (Closes: #894183). - Update the Vcs fields to point to https://salsa.debian.org. * debian/copyright: - Update the Source URL field to point to https://libexif.github.io. * debian/patches: - Add .patch file extensions to existing patches. - add-am_prog_ar.patch: Add the AM_PROG_AR macro to configure.ac to avoid an automake warning. - ac_lang_source-macro.patch: Use AC_LANG_SOURCE macros to avoid several automake warnings in configure.ac. - fix-size_t-warnings.patch: Cast %u format specifiers to unsigned long to prevent compiler warnings on 32-bit and 64-bit platforms. * debian/rules: - Update dh_installdocs overrides. - Remove '--parallel' (now handled by debhelper >= level 11). * debian/source/options: - Remove from package. Debhelper handles the specified options by default. * debian/watch: - Update to version 4 and switch to upstream's github repository. -- Hugh McMaster Tue, 03 Apr 2018 22:53:18 +1000 libexif (0.6.21-4) unstable; urgency=high * Team upload. * debian/control: - Allow libexif-doc to take ownership of all documentation files previously packaged with libexif-dev (Closes: #880213). - Remove the Replaces field from libexif12 and libexif-dev. * debian/rules: - Include /usr/share/dpkg/architecture.mk. -- Hugh McMaster Thu, 02 Nov 2017 22:31:00 +1100 libexif (0.6.21-3) unstable; urgency=medium * Team upload. * Import changes from NMU version 0.6.21-2.1. * Introduce libexif-doc: - Move the development documentation from libexif-dev to avoid PNG file conflicts during multi-arch installation. - Update the package's doc-base registration. * debian/control: - Revise package order. - Update package Depends lists. * debian/copyright: - Fix a formatting error. * debian/rules: - Exclude doxygen md5 files from installation during the 'dh_installdocs' phase. * Do not package the AUTHORS file, since all developers are listed in the debian/copyright file. -- Hugh McMaster Fri, 27 Oct 2017 21:29:37 +1100 libexif (0.6.21-2.1) unstable; urgency=medium * Non-maintainer upload. * debhelper update: - Update package compatibility to level 10. * debian/control: - Bump debhelper build-dep to >= 10~. - Remove dh-autoreconf from the Build-Depends list, as debhelper enables the 'autoreconf' sequence by default. - Bump Standards-Version from 3.9.5 to 4.1.1. - Use the https protocol in the Vcs-Browser field. - Update the URI referenced by the Vcs-Git field. - Mark libexif-dev Multi-Arch: same (Closes: #786562). * debian/copyright: - Update the format specification URI. - Remove references to libjpeg/* and configure.in (lintian). - Merge paragraphs referring to the same source file (lintian). * debian/patches: - Add upstream patches to fix CVE-2016-6328 and CVE-2017-7544 (thanks to Marcus Meissner) (Closes: #873022, #876466). * debian/rules: - Add 'hardening=+all' to DEB_BUILD_MAINT_OPTIONS. - Exclude doxygen md5 files from installation (lintian). - Remove '--with autoreconf' (now handled by debhelper level 10). - Fix grammatical errors in a comment. -- Hugh McMaster Sat, 07 Oct 2017 22:42:00 +1100 libexif (0.6.21-2) unstable; urgency=medium * Use autoreconf instead of autotools-dev (Closes: #754399) * Bump Standards-Version to 3.9.5 * Add symbols file for libexif12 * Enable parallel building -- Emmanuel Bouthenot Sun, 24 Aug 2014 21:34:56 +0200 libexif (0.6.21-1) unstable; urgency=low * New upstream release * Refresh and remove deprecated patches * Bump Standards-Version to 3.9.4 * Adjust debhelper dependency version to >= 9 -- Emmanuel Bouthenot Sat, 26 Jan 2013 18:03:12 +0000 libexif (0.6.20-3) unstable; urgency=high * Add patches to fix multiples security issues: CVE-2012-2814, CVE-2012-2840, CVE-2012-2813, CVE-2012-2812, CVE-2012-2841, CVE-2012-2836, CVE-2012-2837 (Closes: #681454). -- Emmanuel Bouthenot Tue, 17 Jul 2012 19:05:20 +0000 libexif (0.6.20-2) unstable; urgency=low [ Kees Cook ] * debian/copyright: fix empty lines in multi-line section, add missing intended "license" lines, add missing BSD license for pt_BR.po. * debian/libexif-dev.install: - use multiple lines instead of technically unsupported {}. - remove .la file, per release goal; there are no build dep using it. * debian/{control,compat,*.install,rules}: build for Multi-Arch support (Closes: #650998) [ Emmanuel Bouthenot ] * Bump Standards-Version to 3.9.2 * Remove DMUA field (no more needed) * Update debian/rules to enable usage of autotools_dev sequence with debhelper * Switch debhelper compatibility to 9 * Update Vcs-Git and Vcs-Browser fields -- Emmanuel Bouthenot Fri, 27 Jan 2012 20:34:17 +0000 libexif (0.6.20-1) unstable; urgency=low * New upstream release * debian/copyright: - updates (huge backlog) - switch to DEP5 format * Refresh patches and convert them to DEP3 format * Switch to dpkg-source 3.0 (quilt) format * Update uploader email (me) * Bump Standards-Version to 3.9.1 * Add a patch to support new Canon camera. Thanks to Adrian von Bidder for the patch. Rest In Peace Adrian. (Closes: #617764). -- Emmanuel Bouthenot Wed, 27 Apr 2011 18:17:43 +0000 libexif (0.6.19-1) unstable; urgency=high * New upstream release - fix CVE-2009-3895: heap buffer overflow during tag format conversion (Closes: #557137) -- Emmanuel Bouthenot Thu, 19 Nov 2009 22:38:27 +0000 libexif (0.6.18-1) unstable; urgency=low * New upstream release * Clean and minify the build process (using dh7 overrides) * Bump Standards-Version to 3.8.3. * Add README.source file. * Add doc-base file for libexif API documentation. -- Emmanuel Bouthenot Sat, 24 Oct 2009 09:29:24 +0200 libexif (0.6.17-1) unstable; urgency=low * Adopt the package within pkg-phototools: - Set the Maintainer to the group - Add Frederic Peters and myself as Uploaders. - Add Vcs-Browser and Vcs-Git fields accordingly. * New upstream release: - remove patches merged upsteam: + 30_olympus_makernote.dpatch + 40_crash_looking_up_invalid_values.dpatch + 50_relibtoolize.dpatch + CVE-2007-6351.dpatch + CVE-2007-6352.dpatch - convert existing patches from dpatch to quilt. - Fix a bug while reading exif datas in some cases (Closes: #447907) * Switch packaging to debhelper 7 * Update debian/control: - Drop duplicate section field for exif12 - Bump Standards-Version to 3.8.1 - Replace deprecated ${Source-Version} by ${binary:Version} - Enhance libexif-dev long description. - Add homepage field. - Add DM-Upload-Allowed field. * Force remove of files not fully cleaned * Remove empty doc files in libexif-dev. * Update debian/copyright. -- Emmanuel Bouthenot Sun, 19 Apr 2009 17:53:15 +0200 libexif (0.6.16-2.1) unstable; urgency=high * Non-maintainer upload by security team. * This update addresses the following security issues: - possible denial of service attack via crafted image file leading to an infinite recursion in the exif-loader.c (CVE-2007-6351; Closes: #457330). - integer overflow in exif-data.c triggered by a crafted image file could lead to arbitrary code execution (CVE-2007-6352; Closes: #457330). -- Nico Golde Fri, 21 Dec 2007 17:13:58 +0100 libexif (0.6.16-2) unstable; urgency=low * debian/libexif12.docs: added README file (closes: #434773) -- Frederic Peters Thu, 26 Jul 2007 19:37:47 +0200 libexif (0.6.16-1) unstable; urgency=high * New upstream release, with security fix: * Integer overflow in the exif_data_load_data_entry (CVE-2006-4168) (closes: #430012) -- Frederic Peters Thu, 21 Jun 2007 20:42:24 +0200 libexif (0.6.15-1) unstable; urgency=high * New upstream release, with security fixes: * Integer overflow in the exif_data_load_data_entry (CVE-2007-2645) (closes: #424775) * Don't dereference NULL (CID 4) (no assigned CVE) * Don't parse Makernote when there is not enough data for (makernote-irelevant) IFD1 (no assigned CVE) * debian/patches/30_olympus_makernote.dpatch: merged upstream * debian/patches/40_crash_looking_up_invalid_values.dpatch: merged upstream * debian/patches/50_relibtoolize.dpatch: run libtoolize on sources -- Frederic Peters Fri, 25 May 2007 10:04:00 +0200 libexif (0.6.13-6) unstable; urgency=low * debian/control: added build-depends on dpatch * debian/rules: use dpatch * debian/patches/10_pkg_config_header_dir.dpatch: patch from 0.6.13-4 * debian/patches/20_extra_colorspace_check.dpatch: patch from 0.6.13-5 * debian/patches/30_olympus_makernote.dpatch: added support for Olympus S760 & S770 makernote (closes: #418945) * debian/patches/40_crash_looking_up_invalid_values.dpatch: backport of "fixed crashes when looking up invalid values (upstream #1457501)". -- Frederic Peters Tue, 08 May 2007 11:47:19 +0200 libexif (0.6.13-5) unstable; urgency=low * libexif/exif-entry.c: added extra check against value read for color space (closes: #398426) (this is not from upstream but upstream is said to have this fixed as well, couldn't find how) -- Frederic Peters Sun, 19 Nov 2006 22:57:21 +0100 libexif (0.6.13-4) unstable; urgency=low * libexif/libexif.pc.in: fixed CFLAGS, so include dir is correctly set. (closes: #356567) -- Frederic Peters Sun, 12 Mar 2006 21:14:27 +0100 libexif (0.6.13-3) unstable; urgency=low * debian/watch: added uscan file. -- Frederic Peters Mon, 6 Mar 2006 00:06:29 +0100 libexif (0.6.13-2) unstable; urgency=low * ship NEWS file in libexif12 package. (closes: #355262) -- Frederic Peters Sat, 4 Mar 2006 16:57:03 +0100 libexif (0.6.13-1) unstable; urgency=low * New upstream release. * debian/control: depends on doxygen and graphviz to build documentation; packaged in libexif-dev. -- Frederic Peters Sun, 26 Feb 2006 20:09:03 +0100 libexif (0.6.12-2) unstable; urgency=low * libexif/exif-data.c: backported fix from CVS (revision 1.68) (closes: #318662) -- Frederic Peters Sun, 17 Jul 2005 02:49:46 +0200 libexif (0.6.12-1) unstable; urgency=low * New upstream release. (closes: #281297) * soname bumped to 12 * buffer size checks in exif-data.c merged upstream. * po-domain.path merged upstream. * libexif/exif-utils.c: fixed exif_get_sshort declaration mismatch. -- Frederic Peters Sat, 16 Jul 2005 10:08:51 +0200 libexif (0.6.9-6) unstable; urgency=low * libexif/exif-loader.h: don't include itself. (closes: #299507) -- Frederic Peters Mon, 14 Mar 2005 16:56:48 +0100 libexif (0.6.9-5) unstable; urgency=high * Urgency high since it fixes a security issue. * Patch provided from Ubuntu by Martin Pitt, written by Sylvain Defresne. * libexif/exif-data.c: Add buffer size checks in several places before trying to access it. (closes: #298464) * Reference: https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152 * debian/control: reworded description synopsis. -- Frederic Peters Mon, 7 Mar 2005 18:56:31 +0100 libexif (0.6.9-4) unstable; urgency=low * debian/copyright: fixed license (LGPL, not GPL) (closes: #281442) -- Frederic Peters Tue, 16 Nov 2004 10:40:55 +0100 libexif (0.6.9-3) unstable; urgency=medium * src/exif-data.c: fix for crasher bug with EXIF data in some Canon pictures. (closes: #279337) * debian/rules: fixed clean target -- Frederic Peters Wed, 3 Nov 2004 09:38:13 +0100 libexif (0.6.9-2) unstable; urgency=medium * Adopted package. * debian/control: bumped Standards-Version to 3.6.1 * debian/rules: delete po/libexif-$(major).pot in clean target * libexif/exif-data.c: fixed segfault on some pictures (urgency medium since it broke gimp and others with those files) -- Frederic Peters Mon, 11 Oct 2004 09:44:24 +0200 libexif (0.6.9-1) unstable; urgency=low * New upstream release. -- christophe barbe Fri, 28 May 2004 16:15:19 -0400 libexif (0.5.12-1) unstable; urgency=low * New upstream release (Closes: #206081). -- christophe barbe Mon, 18 Aug 2003 21:00:57 -0400 libexif (0.5.10-2) unstable; urgency=low * Use soname in po domain to avoid conflict with libexif5 (Closes: #203956). -- christophe barbe Sun, 3 Aug 2003 10:24:48 -0400 libexif (0.5.10-1) unstable; urgency=low * New upstream featuring a new exif-loader. -- christophe barbe Sun, 27 Jul 2003 16:01:27 -0400 libexif (0.5.9-5) unstable; urgency=low * Move DH_COMPAT in debian/compat. * Bump Standards-Version up to 3.5.9. * In new libdevel section. -- christophe barbe Thu, 3 Apr 2003 20:42:49 -0500 libexif (0.5.9-4) unstable; urgency=low * Apply the libtool patch soon enough. -- christophe barbe Mon, 27 Jan 2003 10:26:40 -0500 libexif (0.5.9-3) unstable; urgency=low * Libtool update to finally get a working MIPS package (Closes: 177973). -- christophe barbe Sun, 26 Jan 2003 16:04:42 -0500 libexif (0.5.9-2) unstable; urgency=low * Added autotools-dev code (so the MIPS package should be built). -- christophe barbe Wed, 22 Jan 2003 09:01:47 -0500 libexif (0.5.9-1) unstable; urgency=low * New upstream release. -- christophe barbe Mon, 20 Jan 2003 16:48:14 -0500 libexif (0.5.7-1) unstable; urgency=low * New upstream release. -- christophe barbe Mon, 2 Dec 2002 21:29:45 -0500 libexif (0.5.6-4) unstable; urgency=low * Fix override disparity (The 'I can do it' release). -- christophe barbe Sat, 16 Nov 2002 16:12:16 -0500 libexif (0.5.6-3) unstable; urgency=low * Fix override disparity. -- christophe barbe Sat, 16 Nov 2002 16:00:59 -0500 libexif (0.5.6-2) unstable; urgency=low * Quick fix to avoid conflict with libexif5 (Closes: #169313, #169336, #169337). -- christophe barbe Sat, 16 Nov 2002 15:18:18 -0500 libexif (0.5.6-1) unstable; urgency=low * New upstream release (Closes: #168382). -- christophe barbe Sun, 10 Nov 2002 22:20:05 -0500 libexif (0.5.3-1) unstable; urgency=low * New upstream release. -- christophe barbe Tue, 18 Jun 2002 21:17:56 -0400 libexif (0.5.0-2) unstable; urgency=low * Fix wrong email address in control file. -- christophe barbe Wed, 24 Apr 2002 14:38:37 -0400 libexif (0.5.0-1) unstable; urgency=low * Initial Release. -- christophe barbe Wed, 13 Feb 2002 17:58:36 -0500