Debian alert DLA-4558-1 (libexif)
| From: | Emmanuel Arias <eamanu@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4558-1] libexif security update | |
| Date: | Fri, 01 May 2026 12:29:10 -0300 | |
| Message-ID: | <afTGxqnuzfiT3Kan@debian> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4558-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Emmanuel Arias May 01, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : libexif Version : 0.6.22-3+deb11u1 CVE ID : CVE-2026-32775 CVE-2026-40385 CVE-2026-40386 Debian Bug : 1131116 1133922 1133923 Three security vulnerabilities were discovered in libexif, a library to reads and writes EXIF metainformation from and to images files, that can causes crashes or information leaks. CVE-2026-32775 If the exif_mnote_data_get_value function in MakerNotes gets passed in a 0 size, the passed in-buffer would be overwritten due to an integer underflow. CVE-2026-40385 An unsigned 32bit integer overflow in Nikon MakerNote handling could be used by local attackers to cause crashes or information leaks. CVE-2026-40386 An integer underflow in size checking for Fuji and Olympus MakerNote decoding could be used by attackers to crash or leak information out of libexif-using programs. For Debian 11 bullseye, these problems have been fixed in version 0.6.22-3+deb11u1. We recommend that you upgrade your libexif packages. For the detailed security status of libexif please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libexif Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEE3lnVbvHK7ir4q61+p3sXeEcY/EFAmn0xsUACgkQ+p3sXeEc Y/E6WQ//Y8drc2W1H0Btynw7AXDuas/XqPCV0jJruFEfTLIbpJUBhgxPbBx4eh/e RJl2eXF/s1RMZvutwPANIYVBfKJujxQD1wxm2xoHaIQWIc6MijjaX9N3zyxYWL6f 4sYtvyywVYB0/NBLIXzqxPIgxRtvAMZdn/AgrnclGmnRh/K8mpDRNpPGVYRPTrFy fi/3b44l8AU1BX6yEW/kHyWWuIV7HvPtKa4Wc+Z3gk/0LiIqkXiMUiMTW0l5T1vd YfDTKqmSN6oi9mRawGmQXJALq//dgj278sldBl+EuU8wtN7o0vnp1PFZJSW+BvvV Rg3tDr0DAkQtFp6xqd0yIuOv57koNeHvbAiJ+IYkq1gjRdD2azii7WZCjQfgHgbM MtSe9P/eHBQvOqrsRAScv4f2fBDf6JMMJidh0RcnUh3uN/zScH6YOvHyNMPS673O q/ANO0CQGKKmsS4vXmuXy9SJcuNE13JNENDJiuNFDAn4kRkxpVvQKu0o3LUzHwyB WUvuMa6gLruY+ic4lyMFkZCHsirOJXeiHhcZm3O11z20nihxxAqNl7PUWsuvVYtk TtXtZDKyOinOv9eKevLGVQtiTermrv8PkxIgAgaaOEUICgPQbXd/u4UBL28Otk4V yjv1ok5RviCOvmF8vpJBhG/VH/K5FS1EKoOkrCiYqipICwqjyyk= =qA3M -----END PGP SIGNATURE-----