Debian Package Tracker
Register | Log in
Subscribe

exiv2

EXIF/IPTC/XMP metadata manipulation tool

Choose email to subscribe with

general
  • source: exiv2 (main)
  • version: 0.28.7+dfsg-2
  • maintainer: Debian KDE Extras Team (archive) (DMD)
  • uploaders: Mark Purcell [DMD] – Steve M. Robbins [DMD]
  • arch: all any
  • std-ver: 4.7.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 0.27.3-3+deb11u2
  • o-o-sec: 0.27.3-3+deb11u1
  • oldstable: 0.27.6-1
  • stable: 0.28.5+dfsg-1
  • testing: 0.28.7+dfsg-2
  • unstable: 0.28.7+dfsg-2
versioned links
  • 0.27.3-3+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.27.3-3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.27.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.28.5+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.28.7+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • exiv2 (8 bugs: 0, 8, 0, 0)
  • libexiv2-28
  • libexiv2-data (1 bugs: 0, 0, 1, 0)
  • libexiv2-dev
  • libexiv2-doc (1 bugs: 0, 1, 0, 0)
action needed
lintian reports 1 warning normal
Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.
Created: 2025-02-26 Last update: 2025-08-31 21:02
2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:
  • CVE-2025-54080: (needs triaging) Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6.
  • CVE-2025-55304: (needs triaging) Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-08-30 Last update: 2025-09-05 05:00
4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

2 issues left for the package maintainer to handle:
  • CVE-2025-54080: (needs triaging) Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6.
  • CVE-2025-55304: (needs triaging) Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.

You can find information about how to handle these issues in the security team's documentation.

2 ignored issues:
  • CVE-2024-24826: Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 version v0.28.1. The vulnerable function, `QuickTimeVideo::NikonTagsDecoder`, was new in v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted video file. In most cases this out of bounds read will result in a crash. This bug is fixed in version v0.28.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
  • CVE-2024-25112: Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A denial-of-service was found in Exiv2 version v0.28.1: an unbounded recursion can cause Exiv2 to crash by exhausting the stack. The vulnerable function, `QuickTimeVideo::multipleEntriesDecoder`, was new in v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted video file. This bug is fixed in version v0.28.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Created: 2024-02-13 Last update: 2025-09-05 05:00
news
[rss feed]
  • [2025-09-05] exiv2 0.28.7+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2025-08-31] Accepted exiv2 0.28.7+dfsg-2 (source) into unstable (Pino Toscano)
  • [2025-08-31] Accepted exiv2 0.28.7+dfsg-1 (source) into experimental (Pino Toscano)
  • [2025-03-03] exiv2 0.28.5+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2025-02-26] Accepted exiv2 0.28.5+dfsg-1 (source) into unstable (Pino Toscano)
  • [2025-02-25] exiv2 0.28.4+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2025-02-20] Accepted exiv2 0.28.4+dfsg-2 (source) into unstable (Pino Toscano)
  • [2025-02-16] exiv2 0.28.4+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2025-02-10] Accepted exiv2 0.28.4+dfsg-1 (source) into unstable (Pino Toscano)
  • [2024-09-27] exiv2 0.28.3+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2024-09-05] Accepted exiv2 0.28.3+dfsg-2 (source) into unstable (Pino Toscano)
  • [2024-07-13] Accepted exiv2 0.28.3+dfsg-1 (source) into experimental (Pino Toscano)
  • [2024-02-16] Accepted exiv2 0.28.2+dfsg-1 (source) into experimental (Pino Toscano)
  • [2023-11-17] Accepted exiv2 0.28.1+dfsg-3 (source) into experimental (Pino Toscano)
  • [2023-11-12] Accepted exiv2 0.28.1+dfsg-2 (source) into experimental (Pino Toscano)
  • [2023-11-06] Accepted exiv2 0.28.1+dfsg-1 (source) into experimental (Pino Toscano)
  • [2023-07-18] Accepted exiv2 0.28.0+dfsg-4 (source) into experimental (Pino Toscano)
  • [2023-07-16] Accepted exiv2 0.28.0+dfsg-3 (source) into experimental (Pino Toscano)
  • [2023-07-16] Accepted exiv2 0.28.0+dfsg-2 (source) into experimental (Pino Toscano)
  • [2023-07-15] Accepted exiv2 0.28.0+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Pino Toscano)
  • [2023-02-23] Accepted exiv2 0.27.3-3+deb11u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Helmut Grohne)
  • [2023-02-02] exiv2 0.27.6-1 MIGRATED to testing (Debian testing watch)
  • [2023-01-28] Accepted exiv2 0.27.6-1 (source) into unstable (Pino Toscano)
  • [2023-01-10] Accepted exiv2 0.25-4+deb10u4 (source) into oldstable (Helmut Grohne)
  • [2022-11-10] Accepted exiv2 0.25-4+deb10u3 (source) into oldstable (Dominik George)
  • [2022-08-27] exiv2 0.27.5-4 MIGRATED to testing (Debian testing watch)
  • [2022-08-22] Accepted exiv2 0.27.5-4 (source) into unstable (Sandro Knauß)
  • [2022-04-01] exiv2 0.27.5-3 MIGRATED to testing (Debian testing watch)
  • [2022-03-26] Accepted exiv2 0.27.5-3 (source) into unstable (Sandro Knauß)
  • [2022-03-25] Accepted exiv2 0.27.5-2 (source) into unstable (Sandro Knauß)
  • 1
  • 2
bugs [bug history graph]
  • all: 14
  • RC: 0
  • I&N: 13
  • M&W: 1
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 1)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • l10n (-, 75)
  • debian patches
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 0.28.5+dfsg-1
  • 7 bugs

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing