exiv2 - Debian Package Tracker

general

source: exiv2 (main)
version: 0.28.7+dfsg-2
maintainer: Debian KDE Extras Team (archive) (DMD)
uploaders: Mark Purcell [DMD] – Steve M. Robbins [DMD]
arch: all any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.27.3-3+deb11u2
o-o-sec: 0.27.3-3+deb11u1
oldstable: 0.27.6-1
stable: 0.28.5+dfsg-1
testing: 0.28.7+dfsg-2
unstable: 0.28.7+dfsg-2

versioned links

0.27.3-3+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.27.3-3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.27.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.28.5+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.28.7+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

exiv2 (8 bugs: 0, 8, 0, 0)
libexiv2-28
libexiv2-data (1 bugs: 0, 0, 1, 0)
libexiv2-dev
libexiv2-doc (1 bugs: 0, 1, 0, 0)

action needed

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 0.28.7+dfsg-3, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit c9b092f2f4c06168bf3decda8f8eadaf2aca8951
Author: Pino Toscano <pino@debian.org>
Date:   Sat Feb 7 21:40:31 2026 +0100

    drop Priority: optional

commit 98c87f541c414d0396c7702bc1823605a98ab1f6
Author: Pino Toscano <pino@debian.org>
Date:   Sat Feb 7 21:39:55 2026 +0100

    drop Rules-Requires-Root: no

commit 40e1b18211a66c8d9f525cb4405b167d66450079
Author: Pino Toscano <pino@debian.org>
Date:   Sat Feb 7 21:39:24 2026 +0100

    bump Standards-Version to 4.7.3
    
    no changes required

commit aff36a2cbd9793229a9520530ce64cf29c261be8
Author: Pino Toscano <pino@debian.org>
Date:   Sat Feb 7 21:38:44 2026 +0100

    changelog: generate

commit e6b7660582c9785ce2de9348d627d980b3f1f7ec
Author: Steve Robbins <steve@sumost.ca>
Date:   Sun Jan 11 12:11:11 2026 -0600

    Remove myself as uploader

Created: 2026-01-11 Last update: 2026-02-07 22:01

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-02-26 Last update: 2025-08-31 21:02

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2025-54080: (needs triaging) Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6.
CVE-2025-55304: (needs triaging) Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-08-30 Last update: 2025-09-05 05:00

4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2025-54080: (needs triaging) Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6.
CVE-2025-55304: (needs triaging) Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.

You can find information about how to handle these issues in the security team's documentation.

2 ignored issues:

CVE-2024-24826: Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 version v0.28.1. The vulnerable function, `QuickTimeVideo::NikonTagsDecoder`, was new in v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted video file. In most cases this out of bounds read will result in a crash. This bug is fixed in version v0.28.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-25112: Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A denial-of-service was found in Exiv2 version v0.28.1: an unbounded recursion can cause Exiv2 to crash by exhausting the stack. The vulnerable function, `QuickTimeVideo::multipleEntriesDecoder`, was new in v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted video file. This bug is fixed in version v0.28.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Created: 2024-02-13 Last update: 2025-09-05 05:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.7.2).

Created: 2025-12-23 Last update: 2025-12-23 20:00

news

[rss feed]

[2025-09-05] exiv2 0.28.7+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-08-31] Accepted exiv2 0.28.7+dfsg-2 (source) into unstable (Pino Toscano)
[2025-08-31] Accepted exiv2 0.28.7+dfsg-1 (source) into experimental (Pino Toscano)
[2025-03-03] exiv2 0.28.5+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-02-26] Accepted exiv2 0.28.5+dfsg-1 (source) into unstable (Pino Toscano)
[2025-02-25] exiv2 0.28.4+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-02-20] Accepted exiv2 0.28.4+dfsg-2 (source) into unstable (Pino Toscano)
[2025-02-16] exiv2 0.28.4+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-02-10] Accepted exiv2 0.28.4+dfsg-1 (source) into unstable (Pino Toscano)
[2024-09-27] exiv2 0.28.3+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-09-05] Accepted exiv2 0.28.3+dfsg-2 (source) into unstable (Pino Toscano)
[2024-07-13] Accepted exiv2 0.28.3+dfsg-1 (source) into experimental (Pino Toscano)
[2024-02-16] Accepted exiv2 0.28.2+dfsg-1 (source) into experimental (Pino Toscano)
[2023-11-17] Accepted exiv2 0.28.1+dfsg-3 (source) into experimental (Pino Toscano)
[2023-11-12] Accepted exiv2 0.28.1+dfsg-2 (source) into experimental (Pino Toscano)
[2023-11-06] Accepted exiv2 0.28.1+dfsg-1 (source) into experimental (Pino Toscano)
[2023-07-18] Accepted exiv2 0.28.0+dfsg-4 (source) into experimental (Pino Toscano)
[2023-07-16] Accepted exiv2 0.28.0+dfsg-3 (source) into experimental (Pino Toscano)
[2023-07-16] Accepted exiv2 0.28.0+dfsg-2 (source) into experimental (Pino Toscano)
[2023-07-15] Accepted exiv2 0.28.0+dfsg-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Pino Toscano)
[2023-02-23] Accepted exiv2 0.27.3-3+deb11u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Helmut Grohne)
[2023-02-02] exiv2 0.27.6-1 MIGRATED to testing (Debian testing watch)
[2023-01-28] Accepted exiv2 0.27.6-1 (source) into unstable (Pino Toscano)
[2023-01-10] Accepted exiv2 0.25-4+deb10u4 (source) into oldstable (Helmut Grohne)
[2022-11-10] Accepted exiv2 0.25-4+deb10u3 (source) into oldstable (Dominik George)
[2022-08-27] exiv2 0.27.5-4 MIGRATED to testing (Debian testing watch)
[2022-08-22] Accepted exiv2 0.27.5-4 (source) into unstable (Sandro Knauß)
[2022-04-01] exiv2 0.27.5-3 MIGRATED to testing (Debian testing watch)
[2022-03-26] Accepted exiv2 0.27.5-3 (source) into unstable (Sandro Knauß)
[2022-03-25] Accepted exiv2 0.27.5-2 (source) into unstable (Sandro Knauß)

bugs [bug history graph]

all: 14
RC: 0
I&N: 13
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 75)
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.28.7+dfsg-2
7 bugs