e56abfa10a
* spelling: accelerometer Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: address Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: anonymous Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: available Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: baby Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: buffer Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: build Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: builds Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: by inclusion Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: byte order Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: camera Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: command Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: consistency Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: constructor Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: continuous Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: continuously Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: correspond Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: decompression Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: dedicated Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: denominator Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: dependencies Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: detector Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: dlighting Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: dragging Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: duplicate Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: dynamic Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: empty Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: enable Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: endianness Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: examining Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: exceed Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: extension Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: fact Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: fails Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: fixed Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: fluorescent Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: focuspoint Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: focuspoints Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: from Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: happened Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: hierarchy Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: initiate Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: interesting Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: internal Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: javascript Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: language Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: libiconv Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: libraries Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: library Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: localization Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: macros Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: member Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: members Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: metadata Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: miscellaneous Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: mnemonic Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: modified Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: multiple Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: multithreaded Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: mysterious Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: photoshop Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: platforms Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: preliminary Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: priority Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: properties Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: qualifier Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: recognition Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: recognized Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: reentrancy Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: remaining Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: remotetest Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: requested Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: sensitivity Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: standardize Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: successful Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: such Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: tags Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: temperature Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: test Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: the Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: these Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: third Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: this Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: transparent Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: unable Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: underwater Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: uninterpreted Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: using Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: utc - coordinated universal time Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: which Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: with Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
5.3 KiB
5.3 KiB
Security Policy
Supported Versions
| Exiv2 Version | Date | Tag | Branch | Dot/Security Release | Date | Tag |
|---|---|---|---|---|---|---|
| v0.27 | 2018-12-20 | 0.27 | 0.27-maintenance | v0.27.1 | 2019-04-18 | 0.27.1 |
| v0.27.2 | 2019-07-29 | v0.27.2 | ||||
| v0.27.3 | 2020-06-30 | v0.27.3 | ||||
| v0.27.4 | 2021-06-15 | v0.27.4 | ||||
| v0.27.5 | 2021-09-30 | v0.27.5 | ||||
| v0.26 | 2017-04-28 | v0.26 | 0.26 | None | ||
| v0.25 | 2015-06-21 | None | 0.25 | None |
Security Process
If you have found a security vulnerability in Exiv2, please follow these steps:
- Send an email to our security contact person: Kevin Backhouse (kevinbackhouse@github.com).
- We will create a draft security advisory and invite you as a collaborator.
- Add a comment to the draft security advisory with a detailed description of the vulnerability. (Please don't use the "Description" field, because we'll use the "Description" field to write a short summary later.)
- Include all of the following details in your description of the vulnerability:
- Exact version of Exiv2 that you tested. For example: commit 194bb65ac568a5435874c9d9d73b1c8a68e4edec
- Platform used. For example: Ubuntu 20.04.2 LTS (x86_64)
- Exact command used to build Exiv2. For example:
mkdir build; cd build; cmake ..; make - Attach a copy of the image file that triggers the bug. For example:
poc.jpg - Exact command line arguments that trigger the bug. For example:
./bin/exiv2 poc.jpg - Crash output (stdout + stderr).
- The source location of the bug and/or any other information that you are able to provide about what the cause of the bug is.
The draft security advisory is private until we publish it, so it is a good place to discuss the details of the vulnerability privately. For the initial email, just a summary of the issue is sufficient.
To qualify as a security issue, the bug must be reproducible on an official release of Exiv2, via a realistic attack vector. As a general rule, that means it should be possible to trigger the bug by running the exiv2 command-line application on a malicious input file. Please note that the applications in the samples sub-directory are demo applications that are not intended for production use, so we usually do not consider bugs in those applications to be security vulnerabilities. However, if one of the sample applications reveals a legitimate bug in the exiv2 library then we will still consider it as a potential security issue.
Official releases are listed here (not including those labeled "pre-release"). Bugs that are only reproducible on the main branch or on a pre-release are not security issues and can be reported as regular issues.
Team Exiv2 does not back-port security (or any other fix) to earlier releases of the code. An engineer at SUSE has patched and fixed some security releases for Exiv2 v0.26 and Exiv2 v0.25 in branches 0.26 and 0.25. Exiv2 has provided several Dot Release for v0.27. Exiv2 has never issued a Security Release.
The version numbering scheme is explained below. The design includes provision for a security release. A Dot Release is an updated version of the library with security PRs and other changes. A Dot Release offers the same API as its parent. A Security Release is an existing release PLUS one or more security PRs. Nothing else is changed from it parent.
Users can register on GitHub.com to receive release notices for RC and GM Releases. Additionally, we inform users when we begin a project to create a new release on FaceBook (https://facebook.com/exiv2) and Discuss Pixls (https://discuss.pixls.us). The announcement of a new release project has a preliminary specification and schedule.
Version Numbering Scheme
| Version | Name | Status | Purpose |
|---|---|---|---|
| v0.27.7.3 | Exiv2 v0.27.3 | GM | Golden Master. This is the final and official release. |
| v0.27.3.2 | Exiv2 v0.27.3.2 | RC2 | Release Candidate 2. |
| v0.27.3.20 | Exiv2 v0.27.3.2 | RC2 Preview | Dry-run for release candidate. For team review. |
| v0.27.3.81 | Exiv2 v0.27.3 | Security Fix | Security Release |
| v0.27.3.29 | Exiv2 v0.27.3.29 | Development | Should never be installed for production. |
| v0.27.4.9 | Exiv2 v0.27.4.9 | Development | Should never be installed for production. |
| v0.27.99 | Exiv2 v0.28 | Development | Should never be installed for production. |