#21376 closed enhancement (fixed)
exempi-2.6.6
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.4 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (5)
comment:1 by , 10 months ago
| Priority: | normal → elevated |
|---|
comment:2 by , 10 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 10 months ago
I was able to acquire more information on the five buffer overrun vulnerabilities fixed in the Adobe XMP Toolkit SDK from https://helpx.adobe.com/security/products/xmpcore/apsb25-34.html
Our CVE numbers are:
- CVE-2025-30305 (Medium)
- CVE-2025-30306 (Medium)
- CVE-2025-30307 (Medium)
- CVE-2025-30308 (Medium)
- CVE-2025-30309 (Medium)
Adobe has their own priority ratings for security updates as well (primarily for system administrators), and this one was assigned Priority 3. The description for that is "This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion."
Release notes from upstream:
2.6.6 - 2025/04/1
- Cherry-pick patch from Adobe XMP SDK v2025.03
- Protect from buffer overruns. Fixes:
- https://gitlab.freedesktop.org/libopenraw/exempi/-/issues/33
- GHSL-2024-083
- GHSL-2024-084
- GHSL-2024-085
- GHSL-2024-086
- GHSL-2024-087
comment:4 by , 10 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Fixes five buffer overrun related security vulnerabilities.
Initial report can be found here: https://gitlab.freedesktop.org/libopenraw/exempi/-/issues/33
Adobe's fixes were committed 5 days ago, https://github.com/adobe/XMP-Toolkit-SDK/pull/102