Debian Package Tracker

general

source: exiv2 (main)
version: 0.25-4
maintainer: Debian Qt/KDE Maintainers (archive) [DMD]
uploaders: Fathi Boudra [DMD] – Mark Purcell [DMD] – Maximiliano Curia [DMD]
arch: all any
std-ver: 4.1.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.23-1
o-o-sec: 0.23-1+deb7u2
oldstable: 0.24-4.1
old-sec: 0.24-4.1+deb8u1
stable: 0.25-3.1+deb9u1
stable-sec: 0.25-3.1+deb9u1
testing: 0.25-4
unstable: 0.25-4
exp: 0.26-1

versioned links

0.23-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.23-1+deb7u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.24-4.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.24-4.1+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.25-3.1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.25-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.26-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

exiv2
libexiv2-14
libexiv2-dev
libexiv2-doc

action needed

A new upstream version is available: 0.26 high

A new upstream version 0.26 is available, you should consider packaging it.

Created: 2018-06-29 Last update: 2018-08-14 14:07

16 security issues in jessie high

There are 16 open security issues in jessie.

2 important issues:

CVE-2018-9145: In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issue exists in the constructor with an initial buffer size. A large size value may lead to a SIGABRT during an attempt at memory allocation. NOTE: some third parties have been unable to reproduce the SIGABRT when using the 4-DataBuf-abort-1 PoC file.
CVE-2018-10780: Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-based buffer over-read.

14 issues skipped by the security teams:

CVE-2017-1000128: Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser
CVE-2017-14864: An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-8976: In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file.
CVE-2017-11683: There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2018-9144: In Exiv2 0.26, there is an out-of-bounds read in Exiv2::Internal::binaryToString in image.cpp. It could result in denial of service or information disclosure.
CVE-2017-9239: An issue was discovered in Exiv2 0.26. When the data structure of the structure ifd is incorrect, the program assigns pValue_ to 0x0, and the value of pValue() is 0x0. TiffImageEntry::doWriteImage will use the value of pValue() to cause a segmentation fault. To exploit this vulnerability, someone must open a crafted tiff file.
CVE-2017-14862: An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-17725: In Exiv2 0.26, there is an integer overflow leading to a heap-based buffer over-read in the Exiv2::getULong function in types.cpp. Remote attackers can exploit the vulnerability to cause a denial of service via a crafted image file. Note that this vulnerability is different from CVE-2017-14864, which is an invalid memory address dereference.
CVE-2017-11591: There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2017-14859: An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-11037: In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimage.cpp allows remote attackers to cause an information leak via a crafted file.
CVE-2017-17723: In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Image::byteSwap4 function in image.cpp. Remote attackers can exploit this vulnerability to disclose memory data or cause a denial of service via a crafted TIFF file.
CVE-2017-17669: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack.
CVE-2017-18005: Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.

Please fix them.

Created: 2017-05-26 Last update: 2018-08-04 08:04

15 security issues in sid high

There are 15 open security issues in sid.

15 important issues:

CVE-2017-1000128: Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser
CVE-2017-14864: An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-9144: In Exiv2 0.26, there is an out-of-bounds read in Exiv2::Internal::binaryToString in image.cpp. It could result in denial of service or information disclosure.
CVE-2017-11683: There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2017-17725: In Exiv2 0.26, there is an integer overflow leading to a heap-based buffer over-read in the Exiv2::getULong function in types.cpp. Remote attackers can exploit the vulnerability to cause a denial of service via a crafted image file. Note that this vulnerability is different from CVE-2017-14864, which is an invalid memory address dereference.
CVE-2018-9145: In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issue exists in the constructor with an initial buffer size. A large size value may lead to a SIGABRT during an attempt at memory allocation. NOTE: some third parties have been unable to reproduce the SIGABRT when using the 4-DataBuf-abort-1 PoC file.
CVE-2018-8976: In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file.
CVE-2017-14862: An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-10780: Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-based buffer over-read.
CVE-2017-11591: There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2017-14859: An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-11037: In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimage.cpp allows remote attackers to cause an information leak via a crafted file.
CVE-2017-17723: In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Image::byteSwap4 function in image.cpp. Remote attackers can exploit this vulnerability to disclose memory data or cause a denial of service via a crafted TIFF file.
CVE-2017-17669: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack.
CVE-2017-18005: Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.

Please fix them.

Created: 2017-07-17 Last update: 2018-08-04 08:04

15 security issues in buster high

There are 15 open security issues in buster.

15 important issues:

CVE-2017-1000128: Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser
CVE-2017-14864: An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-9144: In Exiv2 0.26, there is an out-of-bounds read in Exiv2::Internal::binaryToString in image.cpp. It could result in denial of service or information disclosure.
CVE-2017-11683: There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2017-17725: In Exiv2 0.26, there is an integer overflow leading to a heap-based buffer over-read in the Exiv2::getULong function in types.cpp. Remote attackers can exploit the vulnerability to cause a denial of service via a crafted image file. Note that this vulnerability is different from CVE-2017-14864, which is an invalid memory address dereference.
CVE-2018-9145: In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issue exists in the constructor with an initial buffer size. A large size value may lead to a SIGABRT during an attempt at memory allocation. NOTE: some third parties have been unable to reproduce the SIGABRT when using the 4-DataBuf-abort-1 PoC file.
CVE-2018-8976: In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file.
CVE-2017-14862: An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-10780: Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-based buffer over-read.
CVE-2017-11591: There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2017-14859: An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-11037: In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimage.cpp allows remote attackers to cause an information leak via a crafted file.
CVE-2017-17723: In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Image::byteSwap4 function in image.cpp. Remote attackers can exploit this vulnerability to disclose memory data or cause a denial of service via a crafted TIFF file.
CVE-2017-17669: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack.
CVE-2017-18005: Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.

Please fix them.

Created: 2017-07-17 Last update: 2018-08-04 08:04

15 security issues in stretch high

There are 15 open security issues in stretch.

2 important issues:

CVE-2018-9145: In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issue exists in the constructor with an initial buffer size. A large size value may lead to a SIGABRT during an attempt at memory allocation. NOTE: some third parties have been unable to reproduce the SIGABRT when using the 4-DataBuf-abort-1 PoC file.
CVE-2018-10780: Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-based buffer over-read.

13 issues skipped by the security teams:

CVE-2017-1000128: Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser
CVE-2017-14864: An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-8976: In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file.
CVE-2017-11683: There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2018-9144: In Exiv2 0.26, there is an out-of-bounds read in Exiv2::Internal::binaryToString in image.cpp. It could result in denial of service or information disclosure.
CVE-2017-14862: An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-17725: In Exiv2 0.26, there is an integer overflow leading to a heap-based buffer over-read in the Exiv2::getULong function in types.cpp. Remote attackers can exploit the vulnerability to cause a denial of service via a crafted image file. Note that this vulnerability is different from CVE-2017-14864, which is an invalid memory address dereference.
CVE-2017-11591: There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2017-14859: An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-11037: In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimage.cpp allows remote attackers to cause an information leak via a crafted file.
CVE-2017-17723: In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Image::byteSwap4 function in image.cpp. Remote attackers can exploit this vulnerability to disclose memory data or cause a denial of service via a crafted TIFF file.
CVE-2017-17669: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack.
CVE-2017-18005: Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.

Please fix them.

Created: 2017-07-17 Last update: 2018-08-04 08:04

lintian reports 1 error and 10 warnings high

Lintian reports 1 error and 10 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2015-03-05 Last update: 2018-06-29 01:30

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

libexiv2-doc could be marked Multi-Arch: foreign
libexiv2-dev could be marked Multi-Arch: same

Created: 2016-09-14 Last update: 2018-08-14 14:24

3 bugs tagged patch in the BTS normal

The BTS contains patches fixing 3 bugs, consider including or untagging them.

Created: 2017-11-21 Last update: 2018-08-14 13:42

A new version is available in the VCS, consider uploading it. normal

vcswatch reports that this package has a new version ready in the VCS. You should consider uploading into the archive.

The Vcs URL is using anonscm.debian.org. Please update it for the move to salsa.debian.org.

Created: 2017-12-03 Last update: 2018-07-03 15:57

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2017-02-25 Last update: 2017-02-25 13:12

testing migrations

This package will soon be part of the auto-exiv2 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2018-07-04] Accepted exiv2 0.25-3.1+deb9u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Roberto C. Sanchez)
[2018-07-04] exiv2 0.25-4 MIGRATED to testing (Debian testing watch)
[2018-07-03] Accepted exiv2 0.25-3.1+deb9u1 (source amd64 all) into stable->embargoed, stable (Roberto C. Sanchez)
[2018-06-28] Accepted exiv2 0.25-4 (source) into unstable (Maximiliano Curia)
[2018-06-28] Accepted exiv2 0.24-4.1+deb8u1 (source all) into oldstable (Roberto C. Sanchez)
[2017-10-26] Accepted exiv2 0.23-1+deb7u2 (source amd64 all) into oldoldstable (Raphaël Hertzog)
[2017-07-17] Accepted exiv2 0.26-1 (source amd64 all) into experimental, experimental (Maximiliano Curia)
[2017-06-08] exiv2 0.25-3.1 MIGRATED to testing (Debian testing watch)
[2017-06-05] Accepted exiv2 0.25-3.1 (source amd64 all) into unstable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2017-05-29] Accepted exiv2 0.23-1+deb7u1 (source amd64 all) into oldstable (Emilio Pozuelo Monfort)
[2016-05-24] exiv2 0.25-3 MIGRATED to testing (Debian testing watch)
[2016-05-18] Accepted exiv2 0.25-3 (source) into unstable (Norbert Preining) (signed by: Maximiliano Curia)
[2015-10-13] exiv2 0.25-2.1 MIGRATED to testing (Britney)
[2015-10-08] Accepted exiv2 0.25-2.1 (source amd64 all) into unstable (YunQiang Su)
[2015-09-06] exiv2 0.25-2 MIGRATED to testing (Britney)
[2015-08-06] Accepted exiv2 0.25-2 (source amd64 all) into unstable (Maximiliano Curia)
[2015-08-05] Accepted exiv2 0.25-1 (source amd64 all) into unstable, unstable (Maximiliano Curia)
[2015-01-16] exiv2 0.24-4.1 MIGRATED to testing (Britney)
[2015-01-09] Accepted exiv2 0.24-4.1 (source amd64 all) into unstable (Salvatore Bonaccorso)
[2014-09-11] exiv2 0.24-4 MIGRATED to testing (Britney)
[2014-09-05] Accepted exiv2 0.24-4 (source amd64 all) into unstable (Pino Toscano)
[2014-08-28] Accepted exiv2 0.24-3 (source amd64 all) into experimental (Pino Toscano)
[2014-08-16] exiv2 0.23-1.1 MIGRATED to testing (Britney)
[2014-08-05] Accepted exiv2 0.23-1.1 (source amd64 all) into unstable (Wookey)
[2014-01-17] Accepted exiv2 0.24-2 (source amd64 all) (Pino Toscano)
[2013-12-15] Accepted exiv2 0.24-1 (source i386 all) (Mark Purcell)
[2012-05-10] exiv2 0.23-1 MIGRATED to testing (Debian testing watch)
[2012-05-06] Accepted exiv2 0.23-1 (source all amd64) (Mark Purcell)
[2012-01-24] Accepted exiv2 0.22-2 (source all amd64) (Mark Purcell)
[2011-09-24] Accepted exiv2 0.22-1 (source all amd64) (Mark Purcell)

bugs [bug history graph]

all: 43
RC: 17
I&N: 22
M&W: 0
F&P: 1
patch: 3

links

homepage
lintian (1, 10)
buildd: logs, exp, checks, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.25-4
5 bugs