[Pkg-xfce-devel] xfce4 stable update for CVE-2007-6351
- Subject: [Pkg-xfce-devel] xfce4 stable update for CVE-2007-6351
- From: nion at debian.org (Nico Golde)
- Date: Wed, 30 Jan 2008 00:58:08 +0100
- Message-id: <[🔎] 20080129235808.GA12993@ngolde.de>
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for xfce4 some time ago.
CVE-2007-6351[0]:
| libexif 0.6.16 and earlier allows context-dependent attackers to cause
| a denial of service (infinite recursion) via an image file with
| crafted EXIF tags, possibly involving the exif_loader_write function
| in exif_loader.c.
CVE-2007-6352[1]:
| Integer overflow in libexif 0.6.16 and earlier allows
| context-dependent attackers to execute arbitrary code via an image
| with crafted EXIF tags, possibly involving the
| exif_data_load_data_thumbnail function in exif-data.c.
Unfortunately the vulnerabilities described above are not important enough
to get them fixed via regular security update in Debian stable. They do
not warrant a DSA.
However it would be nice if this could get fixed via a regular point update[2].
Please contact the release team for this.
This is an automatically generated mail, in case you are already working on an
upgrade this is of course pointless.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6351
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6352
[2] http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload-stable
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20080130/bcaf8538/attachment.pgp
Reply to: