Source: exiv2
Version: 0.28.4+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/Exiv2/exiv2/issues/3168
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for exiv2.

CVE-2025-26623[0]:
| Exiv2 is a C++ library and a command-line utility to read, write,
| delete and modify Exif, IPTC, XMP and ICC image metadata. A heap
| buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4.
| Versions prior to v0.28.0, such as v0.27.7, are **not** affected.
| Exiv2 is a command-line utility and C++ library for reading,
| writing, deleting, and modifying the metadata of image files. The
| heap overflow is triggered when Exiv2 is used to write metadata into
| a crafted image file. An attacker could potentially exploit the
| vulnerability to gain code execution, if they can trick the victim
| into running Exiv2 on a crafted image file. Note that this bug is
| only triggered when writing the metadata, which is a less frequently
| used Exiv2 operation than reading the metadata. For example, to
| trigger the bug in the Exiv2 command-line application, you need to
| add an extra command-line argument such as `fixiso`. The bug is
| fixed in version v0.28.5. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-26623
https://www.cve.org/CVERecord?id=CVE-2025-26623
[1] https://github.com/Exiv2/exiv2/issues/3168
[2] https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format...

Your message dated Thu, 20 Feb 2025 07:04:26 +0000
with message-id <E1tl0bi-00Dd8G-Fq@fasolo.debian.org>
and subject line Bug#1098323: fixed in exiv2 0.28.4+dfsg-2
has caused the Debian Bug report #1098323,
regarding exiv2: CVE-2025-26623
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


--
1098323: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098323
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

Received: (at submit) by bugs.debian.org; 19 Feb 2025 06:31:54 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
(2021-04-09) on buxtehude.debian.org
X-Spam-Level:
X-Spam-Status: No, score=-8.5 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
KHOP_HELO_FCRDNS,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG
autolearn=ham autolearn_force=no
version=3.4.6-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 29; hammy, 149; neutral, 79; spammy,
1. spammytokens:0.944-+--H*r:bugs.debian.org
hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
0.000-+--X-Debbugs-Cc, 0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug Return-path: <carnil@debian.org>
Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:55318 helo=eldamar.lan)
by buxtehude.debian.org with esmtp (Exim 4.94.2)
(envelope-from