[Pkg-kde-extras] Bug#868578: Bug#868578: CVE-2017-11335 CVE-2017-11336 CVE-2017-11337 CVE-2017-11338 CVE-2017-11339 CVE-2017-11340
Salvatore Bonaccorso
carnil at debian.org
Mon Jul 17 12:12:10 UTC 2017
Hi
On Mon, Jul 17, 2017 at 01:36:41PM +0200, Maximiliano Curia wrote:
> Control: notfound -1 0.25-3.1
> Control: found -1 0.26-1
>
> ??Hola Moritz!
>
> El 2017-07-16 a las 22:49 +0200, Moritz Muehlenhoff escribi??:
> > Package: exiv2 Version: 0.25-3.1 Severity: important Tags: security
> >
> > Please see:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
>
> This one seems to be libtiff specific, if this is reproducible with exiv2,
> please let me know how to reproduce it.
I think that one was a copy-paste glitch, it is for src:tiff, cf.
https://security-tracker.debian.org/tracker/CVE-2017-11335
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11338
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11339
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11340
>
> I couldn't reproduce these with 0.25-3.1, but these issues are clearly there
> for 0.26-1. Thanks for the heads up, I guess we would either skip 0.26 for
> unstable or, at least, wait till these issues are patched.
Hmm, not beeing able to reproduce does not necessarly mean the issue
is not present. Is there source-wise evidence that they do not affect
versions prior to 0.26? AFAICT at least the Image::printIFDStructure*
functions are not present in older versions as exiv2 in unstable.
Regards,
Salvatore
More information about the pkg-kde-extras
mailing list