Changelog:
libexif-0.6.24 (2021-11-25):
* Translation updates: sr, vi, pl, uk, french
* fixed regression in exif_data_load_data which could not load EXIF in JPEG data anymore
* Decode lots of Canon tag names
* removed empty strings from translation (empty string would translate to the PO info header)
* various warning removals and code improvements
* added sample "persistent" afl fuzzer (100x faster than normal afl fuzzer)
libexif-0.6.23 (2021-09-12):
* Translation updates: es, pl, uk, fr
* EXIF_TAG_SENSITIVITY_TYPE decoder added, added some more Exif 2.3 tags:
- EXIF_TAG_STANDARD_OUTPUT_SENSITIVITY
- EXIF_TAG_RECOMMENDED_EXPOSURE_INDEX
- EXIF_TAG_ISO_SPEED
- EXIF_TAG_ISO_SPEEDLatitudeYYY
- EXIF_TAG_ISO_SPEEDLatitudeZZZ
- EXIF_TAG_OFFSET_TIME
- EXIF_TAG_OFFSET_TIME_ORIGINAL
- EXIF_TAG_OFFSET_TIME_DIGITIZED
- EXIF_TAG_IMAGE_DEPTH
* be more relaxed to out of order JPG / EXIF dataheaders in files generated by some tools
* default GPS IFD table added
* Decode more Nikon Makernote tag names
* Added Apple iOS Makernote
* Security fixes:
* CVE-2020-0198: unsigned integer overflow in exif_data_load_data_content
* CVE-2020-0452: compiler optimization could remove an a
bufferoverflow check, making a buffer overflow possible with some
EXIF tags
* some more denial of service (compute time or stack exhaustion) counter-measures
added that avoid minutes of decoding time with malformed files found
by OSS-Fuzz
libexif-0.6.22 (2020-05-18):
* New translations: ms
* Updated translations for most languages
* Fixed C89 compatibility
* Fixed warnings on recent versions of autoconf
* Some useful EXIF 2.3 tag added:
* EXIF_TAG_GAMMA
* EXIF_TAG_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
* EXIF_TAG_GPS_H_POSITIONING_ERROR
* EXIF_TAG_CAMERA_OWNER_NAME
* EXIF_TAG_BODY_SERIAL_NUMBER
* EXIF_TAG_LENS_SPECIFICATION
* EXIF_TAG_LENS_MAKE
* EXIF_TAG_LENS_MODEL
* EXIF_TAG_LENS_SERIAL_NUMBER
* Lots of fixes exposed by fuzzers like AFL, ClusterFuzz, OSSFuzz and others.
* CVE-2018-20030: Fix for recursion DoS
* CVE-2020-13114: Time consumption DoS when parsing canon array markers
* CVE-2020-13113: Potential use of uninitialized memory
* CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes
* CVE-2020-0093: read overflow
* CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs
* CVE-2020-12767: fixed division by zero
* CVE-2016-6328: fixed integer overflow when parsing maker notes
* CVE-2017-7544: fixed buffer overread
Problems found with existing digests:
Package fotoxx distfile fotoxx-14.03.1.tar.gz
ac2033f87de2c23941261f7c50160cddf872c110 [recorded]
118e98a8cc0414676b3c4d37b8df407c28a1407c [calculated]
Package ploticus-examples distfile ploticus-2.00/plnode200.tar.gz
34274a03d0c41fae5690633663e3d4114b9d7a6d [recorded]
da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]
Problems found locating distfiles:
Package AfterShotPro: missing distfile AfterShotPro-1.1.0.30/AfterShotPro_i386.deb
Package pgraf: missing distfile pgraf-20010131.tar.gz
Package qvplay: missing distfile qvplay-0.95.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
* New translations: en_AU, uk
* Updated translations: cs, da, de, en_CA, nl, pl, sk, sv, vi
* Added more supported lens in Canon MakerNote
* Added some defensive NULL pointer checks
* Fixed a number of security and stability issues due to buffer overflows,
bad pointer dereferences and division-by-zero including bug 3434540
and bug 3434545 (CVE-2012-2812, CVE-2012-2813, CVE-2012-2814,
CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841,
CVE-2012-2845)
* New translations: bs, tr
* Updated translations: be, cs, da, de, en_GB, en_CA, it, ja, nl, pl, pt_BR,
pt, ru, sk, sq, sr, sv, vi, zh_CN
* Fixed some problems in the write-exif.c example program
* Stop listing -lm as a required library for dynamic linking in libexif.pc
* Turned on the --enable-silent-rules configure option
* Changed a lot of strings to make the case of the text more consistent
* exif_entry_dump() now displays the correct tag name for GPS tags
* Fixed some invalid format specifiers that caused problems on some platforms
* Display rational numbers with the right number of significant figures
* New translations: be, en_GB, it, ja, pt, sq, zh_CN
* Updated translations: da, sv, vi
* Now using a binary search to make searching through the tag table faster
* Fixed a heap buffer overflow during tag format conversion
* Updated translations: cs, de, pl, sk, vi
* New translations: nl, se, en_CA
* Enabled sv translation by default
* Bug fixes
* Enhanced support of Canon and Olympus makernotes
* Added support for Fuji and Sanyo makernotes
* Added support for the NO_VERBOSE_TAG_STRINGS and NO_VERBOSE_TAG_DATA
macros to reduce size for embedded applications
* Added support for more tags
New in 0.6.15 (2007-05-23) since 0.6.14 (2007-05-10):
* Added support for 2 new types of Pentax makernotes & Casio type2 makernote
* Added support for Win XP metadata (Author, Comment, KeyWords, Title,
Subject) tags
* Bug fixes:
[ 1443183 ] install error when doxygen is not present.
* New translations: Czech, Slovak.
* Improved doxygen generated API and code internals
documentation. Made building of code internals docs optional
(--enable-internal-docs) as the call graphs take quite long to
build. Made building any docs optional (--disable-docs).
New in 0.6.14 (2007-05-10) since 0.6.13 (2005-12-27):
* Bug fixes: #1457501, #1471060, #1525770, #1617991, #1703284, #1716196
* Extended support of Canon, Nikon, Olympus makernotes
* Added option EXIF_DATA_OPTION_DONT_CHANGE_MAKER_NOTE to prevent
modification of maker notes
* Other fixes and improvements which include API/ABI additions.
JPEG pictures with certain EXIF data, like those from SONY, Nikon
or Canon digital cameras.
Obtained from libexif CVS, exif-data.c, rev. 1.68, via FreeBSD.
Noted by Leonard Schmidt on tech-pkg.
"Matthias Clasen has reported a vulnerability in libexif, which can be
exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an infinite recursion in the
"exif_data_load_data_content()" function and can be exploited to
cause a stack overflow when parsing a specially crafted image.
Successful exploitation may crash an application linked against the
vulnerable library."
Bump PKGREVISION. Patch from:
http://sourceforge.net/tracker/index.php?func=detail&aid=1196787&group_id=12272&atid=112272
* Final fix of Ubuntu Security Notice USN-91-1 (CAN-2005-0664)
https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152
* Updated build system with cross compile capabilities
* Small fixes:
Fix tag order, use even offsets, improve Nikon&Olympus mnote tags.
* SECURITY UPDATE: Fix buffer overflow.
* libexif/exif-data.c: Add buffer size checks in several places before
trying to access it.
* Thanks to Sylvain Defresne for spotting this and the patch.
* References:
https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152
Thanks to wiz@ for heads-up. :)
* libexif/exif-data.h: Introduce an array of ExifContents. This
doesn't break binary compatibility, but it breaks compilation.
Do something like "%s/->ifd_0/->ifd[EXIF_IFD_0]" in your source
code to make it compile again.
* libexif/configure.in: Introduce proper versionning.
* libexif: There's only one ByteOrder per ExifData.
* libexif/libexif-entry.c: More tags implemented in
(exif_entry_get_value).
Most digital cameras produce EXIF files, which are JPEG files with extra
tags that contain information about the image. The EXIF library allows you
to parse an EXIF file and read the data from those tags.
