Opened 3 years ago
Closed 3 years ago
#14272 closed enhancement (fixed)
libexif upstream fixes
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | high | Milestone: | 10.1 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
The other security fixes I noticed are for libexif-0.6.22.
Fedora have patches, apparently from upstream, to fix CVE-2020-0181/0198 and CVE-2020-0452. Those were originally reported against android. The first pair are labelled as DOS, but the last one is an oob write on integer overflow, possible remote code execution or disclosure of sensitive information.
Change History (3)
comment:1 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Priority: | normal → high |
| Status: | new → assigned |
comment:2 by , 3 years ago
Note:
See TracTickets
for help on using tickets.
After rebuilding this, and rebuilding ImageMagick to ensure it can use the new version, that does not use it any more. Fedora is still on IM6 with a changelog entry that in 2004 AC fixed a mismatch between IM-devel and libexif-devel. Lookign at Arch, they do not have IM as a dependency of libexif. Ristretto uses it and still builds.