Bug 178081

Comment 1 Pierre-Yves Rofes (RETIRED) 2007-05-11 17:56:02 UTC

setting status and cc'ing maintainer. Jeremy, please advise and bump as necessary.

Comment 2 Jeremy Huddleston (RETIRED) 2007-05-21 18:22:40 UTC

I'll look at this this evening

Comment 3 Jeremy Huddleston (RETIRED) 2007-05-21 18:23:05 UTC

whoops didnt mean to change to new

Comment 4 Jeremy Huddleston (RETIRED) 2007-05-27 05:38:37 UTC

0.6.14 was giving me headaches, but they just released 0.6.15 and the ebuild is in portage now.  I haven't had much time to test, so archs please give it a beating.  Make sure to test the crashing jpeg in this bug report:

http://sourceforge.net/tracker/index.php?func=detail&aid=1716196&group_id=12272&atid=112272

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2007-05-27 07:38:26 UTC

Thx Jeremy. Arches please test and mark stable. Target keywords are:

libexif-0.6.15.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"

Comment 6 Brent Baude (RETIRED) 2007-05-27 13:03:40 UTC

ppc64 done

media-libs/libexif-0.6.15  USE="nls -doc"

Emerges and works on AMD64. Did however require a revdep-rebuild. 

Portage 2.1.2.7 (default-linux/amd64/2006.1/desktop, gcc-4.1.2, glibc-2.5-r2, 2.6.20-gentoo-r7 x86_64)
=================================================================
System uname: 2.6.20-gentoo-r7 x86_64 Intel(R) Core(TM)2 CPU          6600  @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Fri, 25 May 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.31-r5
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O3 -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -O3 -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp.du.se/pub/os/gentoo http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acpi aiglx alsa amd64 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde libg++ lm_sensors mad midi mikmod mjpeg mozilla mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl session spell spl sse3 ssl tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 8 Peter Volkov (RETIRED) 2007-05-27 14:38:55 UTC

works fine on x86. digikam shows me exif information. One thing I've noticed is that some doc files are installed in /usr/share/doc/libexif, while other in /usr/share/doc/libexif-0.6.15/.

Comment 9 Jeremy Huddleston (RETIRED) 2007-05-27 16:12:30 UTC

Jonas, which version were you coming from that it required the revdep-rebuild?

Upstream was incorrectly bumping their soname between releases until we notified them about it sometime around 0.6.12.  I kept the soname the same on our systems (not matching upstream) because of their error.  They fixed their process and decided to keep their inflated soname, and our ebuilds started matching that sometime in the 0.6.13-rXs.

Additionally, we were using preserve_old_lib from eutils.eclass to keep around the old binary.  Because of this vulnerability, I decided that was not wise.

As for the docdir problem... sorry I missed that.  I'll make a note of it for myself and address it in a revbump bugfix later.  I don't think it's critical enough to hold this up.

Comment 10 Markus Meier 2007-05-27 17:58:24 UTC

media-libs/libexif-0.6.15 USE="nls -doc"
1. emerges on x86
2. passes test suite
3. passes collision test
4. revdep-rebuild seems to be necessary.
old stable version: 
# qlist libexif-0.6.13-r1 | grep libexif.so
/usr/lib/libexif.so.10.2.1
/usr/lib/libexif.so.10
/usr/lib/libexif.so
/usr/lib/libexif.so.9

new version:
# qlist libexif | grep libexif.so
/usr/lib/libexif.so.12.2.0
/usr/lib/libexif.so.12
/usr/lib/libexif.so


Portage 2.1.2.7 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.5-r2, 2.6.20.12 i686)
=================================================================
System uname: 2.6.20.12 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sun, 27 May 2007 17:30:01 +0000
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.3.5-r3, 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa apache2 asf avahi berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode evo fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal kerberos ldap libg++ mad midi mikmod mmx mono mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Jeremy, I upgraded from 0.6.13-r1 (latest stable on AMD64). For instance Gimp gives below error when trying to open JPEG files. 

/usr/lib64/gimp/2.0/plug-ins/jpeg: error while loading shared libraries: libexif.so.10: cannot open shared object file: No such file or directory

Comment 12 Jeremy Huddleston (RETIRED) 2007-05-27 21:25:02 UTC

libexif.so.9 was kept around with preserve_old_lib, but since it is vulnerable, we're not preserving that one any more.

0.6.13-r1 produces libexif.so.10 (we were forcing the old soname because of incorrect upstream version bumping)

0.6.13-r2 produces libexif.so.12 (another dev rev-bumped removing my soname hack forcing a revdep-rebuild)

0.6.15 produces libexif.so.12 and matches the upstream version name.

It seems given the circumstances (-r1 being the current stable), it might be wise to do a revbump and just have symlinks for .10 -> .12... or should we force the revdep-rebuild?  I don't like the idea of having the symlink, but I also don't want to force people to rebuild parts of their system when they really don't need to.  I'll wait for comments here before taking action.

Comment 13 Jeroen Roovers (RETIRED) 2007-05-28 04:42:08 UTC

Stable for HPPA.

Comment 14 Raúl Porcel (RETIRED) 2007-05-28 11:11:30 UTC

alpha/ia64/x86 stable

Comment 15 Pierre-Yves Rofes (RETIRED) 2007-05-28 19:38:21 UTC

adding CVE reference (CVE-2007-2645)

Comment 16 Tobias Scherbaum (RETIRED) 2007-05-29 05:38:27 UTC

ppc stable

Comment 17 Gustavo Zacarias (RETIRED) 2007-05-29 17:04:23 UTC

sparc stable.

Comment 18 Peter Weller (RETIRED) 2007-05-30 20:24:43 UTC

amd64 stable

Comment 19 Jeremy Huddleston (RETIRED) 2007-06-02 18:58:15 UTC

Adding mips to CC since they weren't on it.  They had 0.6.12 stable which is vulnerable

Comment 20 Anders Hellgren 2007-06-03 11:20:23 UTC

Considering that nautilus is one of the affected packages you may want to add an elog notice about the .so bump.

Comment 21 Raphael Marichez (Falco) (RETIRED) 2007-06-05 21:34:26 UTC

GLSA 200706-01, tahnks everybody