Opened 2 years ago

Closed 2 years ago

#14272 closed enhancement (fixed)

libexif upstream fixes

Reported by: ken@… Owned by: ken@…
Priority: high Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:


The other security fixes I noticed are for libexif-0.6.22.

Fedora have patches, apparently from upstream, to fix CVE-2020-0181/0198 and CVE-2020-0452. Those were originally reported against android. The first pair are labelled as DOS, but the last one is an oob write on integer overflow, possible remote code execution or disclosure of sensitive information.

Change History (3)

comment:1 by ken@…, 2 years ago

Owner: changed from blfs-book to ken@…
Priority: normalhigh
Status: newassigned

comment:2 by ken@…, 2 years ago

After rebuilding this, and rebuilding ImageMagick to ensure it can use the new version, that does not use it any more. Fedora is still on IM6 with a changelog entry that in 2004 AC fixed a mismatch between IM-devel and libexif-devel. Lookign at Arch, they do not have IM as a dependency of libexif. Ristretto uses it and still builds.

comment:3 by ken@…, 2 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.