Bug#1134175: trixie-pu: package libexif/0.6.25-1+deb13u1

Emmanuel Arias eamanu at debian.org
Fri Apr 17 12:45:22 BST 2026 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: libexif at packages.debian.org, eamanu at debian.org
Control: affects -1 + src:libexif
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
This update attempt to fix all open CVEs for libexif.

[ Impact ]
If the update isn't approved, users will continue to be vulnerable to
CVE-2026-40386, CVE-2026-40385, CVE-2026-32775. Bullseye
users upgrading to Trixie will become vulnerable again.

[ Tests ]
Issues affect to specific hardware

[ Risks ]
All the changes are minor an easy to read the code.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
CVE-2026-40386: fix an integer underflow in a size check.

CVE-2026-40385: Add a check to avoid overflow in system with
32 bits unsigned int size_t.

CVE-2026-32775: Fix an integer undeflow in
mnote_pentax_entry_get_values(). This patch add a check
to verify that maxlen be at least 1.
-------------- next part --------------
diff -Nru libexif-0.6.25/debian/changelog libexif-0.6.25/debian/changelog
--- libexif-0.6.25/debian/changelog	2025-02-11 07:19:04.000000000 -0300
+++ libexif-0.6.25/debian/changelog	2026-04-17 07:48:04.000000000 -0300
@@ -1,3 +1,21 @@
+libexif (0.6.25-1+deb13u1) trixie; urgency=medium
+
+  * Team upload.
+  * d/patches/CVE-2026-40386.patch Add patch for CVE-2026-40386.
+    - An integer underflow in size checking for Fuji and Olympus MakerNote
+      decoding could be used by attackers to crash or leak information out
+      of libexif-using programs (Closes: #1133923).
+  * d/patches/CVE-2026-40385.patch: Add patch for CVE-2026-40385.
+    - An unsigned 32bit integer overflow in Nikon MakerNote handling could
+      be used by local attackers to cause crashes or information leaks.
+      (Closes: #1133922).
+  * d/patches/CVE-2026-32775.patch: Add patch for CVE-2026-32775.patch.
+    - If the exif_mnote_data_get_value function in MakerNotes gets passed
+      in a 0 size, the passed in-buffer would be overwritten due to an
+      integer underflow (Closes: #1131116).
+
+ -- Emmanuel Arias <eamanu at debian.org>  Fri, 17 Apr 2026 07:48:04 -0300
+
 libexif (0.6.25-1) unstable; urgency=medium
 
   * New upstream version 0.6.25.
diff -Nru libexif-0.6.25/debian/patches/CVE-2026-32775.patch libexif-0.6.25/debian/patches/CVE-2026-32775.patch
--- libexif-0.6.25/debian/patches/CVE-2026-32775.patch	1969-12-31 21:00:00.000000000 -0300
+++ libexif-0.6.25/debian/patches/CVE-2026-32775.patch	2026-04-17 07:33:27.000000000 -0300
@@ -0,0 +1,82 @@
+From: Marcus Meissner <marcus at jet.franken.de>
+Date: Mon, 9 Mar 2026 10:02:53 +0100
+Subject: [PATCH] check maxlen to be at least 1
+
+maxlen-- on 0 will become a high value.
+
+(likely found by AI)
+
+Fixes https://github.com/libexif/libexif/issues/247
+Bug-Debian: https://bugs.debian.org/1131116
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-32775
+---
+ libexif/apple/mnote-apple-entry.c     | 2 ++
+ libexif/canon/mnote-canon-entry.c     | 2 ++
+ libexif/fuji/mnote-fuji-entry.c       | 1 +
+ libexif/olympus/mnote-olympus-entry.c | 2 ++
+ libexif/pentax/mnote-pentax-entry.c   | 1 +
+ 5 files changed, 8 insertions(+)
+
+diff --git a/libexif/apple/mnote-apple-entry.c b/libexif/apple/mnote-apple-entry.c
+index 36e002c5..0fa6bc24 100644
+--- a/libexif/apple/mnote-apple-entry.c
++++ b/libexif/apple/mnote-apple-entry.c
+@@ -45,6 +45,8 @@ mnote_apple_entry_get_value(MnoteAppleEntry *entry, char *v, unsigned int maxlen
+ 
+     if (!entry)
+         return NULL;
++    if (maxlen < 1)
++        return NULL;
+ 
+     memset(v, 0, maxlen);
+     maxlen--;
+diff --git a/libexif/canon/mnote-canon-entry.c b/libexif/canon/mnote-canon-entry.c
+index de0fac4f..2849d5ba 100644
+--- a/libexif/canon/mnote-canon-entry.c
++++ b/libexif/canon/mnote-canon-entry.c
+@@ -561,6 +561,8 @@ mnote_canon_entry_get_value (const MnoteCanonEntry *entry, unsigned int t, char
+ 
+ 	if (!entry) 
+ 		return NULL;
++	if (maxlen < 1)
++		return NULL;
+ 
+ 	data = entry->data;
+ 	size = entry->size;
+diff --git a/libexif/fuji/mnote-fuji-entry.c b/libexif/fuji/mnote-fuji-entry.c
+index 47e01ed5..5d9f16fd 100644
+--- a/libexif/fuji/mnote-fuji-entry.c
++++ b/libexif/fuji/mnote-fuji-entry.c
+@@ -201,6 +201,7 @@ mnote_fuji_entry_get_value (MnoteFujiEntry *entry,
+ 	int i, j;
+ 
+ 	if (!entry) return (NULL);
++	if (maxlen < 1) return NULL;
+ 
+ 	memset (val, 0, maxlen);
+ 	maxlen--;
+diff --git a/libexif/olympus/mnote-olympus-entry.c b/libexif/olympus/mnote-olympus-entry.c
+index e5200bec..f938d409 100644
+--- a/libexif/olympus/mnote-olympus-entry.c
++++ b/libexif/olympus/mnote-olympus-entry.c
+@@ -286,6 +286,8 @@ mnote_olympus_entry_get_value (MnoteOlympusEntry *entry, char *v, unsigned int m
+ 
+ 	if (!entry)
+ 		return (NULL);
++	if (maxlen < 1)
++		return NULL;
+ 
+ 	memset (v, 0, maxlen);
+ 	maxlen--;
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index 46900c3a..0a6f87a1 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
++++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -317,6 +317,7 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 	int i = 0, j = 0;
+ 
+ 	if (!entry) return (NULL);
++	if (maxlen < 1) return (NULL);
+ 
+ 	memset (val, 0, maxlen);
+ 	maxlen--;
diff -Nru libexif-0.6.25/debian/patches/CVE-2026-40385.patch libexif-0.6.25/debian/patches/CVE-2026-40385.patch
--- libexif-0.6.25/debian/patches/CVE-2026-40385.patch	1969-12-31 21:00:00.000000000 -0300
+++ libexif-0.6.25/debian/patches/CVE-2026-40385.patch	2026-04-17 07:33:27.000000000 -0300
@@ -0,0 +1,29 @@
+From: Marcus Meissner <meissner at suse.de>
+Date: Fri, 3 Apr 2026 11:18:47 +0200
+Subject: [PATCH] Avoid overflow on 32bit system when reading Nikon MakerNotes
+
+The addition o2 = datao + exif_get_long(buf + o2, n->order)
+could have overflowed on systems with 32bit unsigned int size_t.
+
+This could have caused out of bound reads of data, leading to
+misparsing of exif / crashes.
+
+Reported-By: Kerwin <kerwinxia66001 at gmail.com>
+Bug-Debian: https://bugs.debian.org/1133922
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40385
+---
+ libexif/olympus/exif-mnote-data-olympus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
+index 428f365d..37f08ff1 100644
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -386,6 +386,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
+ 		o2 += 2;
+ 
+ 		/* Go to where the number of entries is. */
++		if (CHECKOVERFLOW(o2,buf_size,exif_get_long (buf + o2, n->order))) return;
+ 		o2 = datao + exif_get_long (buf + o2, n->order);
+ 		break;
+ 
diff -Nru libexif-0.6.25/debian/patches/CVE-2026-40386.patch libexif-0.6.25/debian/patches/CVE-2026-40386.patch
--- libexif-0.6.25/debian/patches/CVE-2026-40386.patch	1969-12-31 21:00:00.000000000 -0300
+++ libexif-0.6.25/debian/patches/CVE-2026-40386.patch	2026-04-17 07:33:27.000000000 -0300
@@ -0,0 +1,40 @@
+From: Marcus Meissner <meissner at suse.de>
+Date: Thu, 2 Apr 2026 13:26:31 +0200
+Subject: [PATCH] fixed 2 unsigned integer underflows
+
+this could cause crashes or data leaks.
+
+Reported-by: Kerwin <kerwinxia66001 at gmail.com>
+Bug-Debian: https://bugs.debian.org/1133923
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40386
+---
+ libexif/fuji/exif-mnote-data-fuji.c       | 2 +-
+ libexif/olympus/exif-mnote-data-olympus.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
+index c28c541b..2dcb8775 100644
+--- a/libexif/fuji/exif-mnote-data-fuji.c
++++ b/libexif/fuji/exif-mnote-data-fuji.c
+@@ -70,7 +70,7 @@ exif_mnote_data_fuji_get_value (ExifMnoteData *d, unsigned int i, char *val, uns
+ 	ExifMnoteDataFuji *n = (ExifMnoteDataFuji *) d;
+ 
+ 	if (!d || !val) return NULL;
+-	if (i > n->count -1) return NULL;
++	if (i >= n->count) return NULL;
+ /*
+ 	exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataFuji",
+ 		  "Querying value for tag '%s'...",
+diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
+index a57af177..428f365d 100644
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -78,7 +78,7 @@ exif_mnote_data_olympus_get_value (ExifMnoteData *d, unsigned int i, char *val,
+ 	ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) d;
+ 
+ 	if (!d || !val) return NULL;
+-	if (i > n->count -1) return NULL;
++	if (i >= n->count) return NULL;
+ /*
+ 	exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
+ 		  "Querying value for tag '%s'...",
diff -Nru libexif-0.6.25/debian/patches/series libexif-0.6.25/debian/patches/series
--- libexif-0.6.25/debian/patches/series	1969-12-31 21:00:00.000000000 -0300
+++ libexif-0.6.25/debian/patches/series	2026-04-17 07:34:06.000000000 -0300
@@ -0,0 +1,3 @@
+CVE-2026-32775.patch
+CVE-2026-40385.patch
+CVE-2026-40386.patch

More information about the Pkg-phototools-devel mailing list