Version in base suite: 0.6.9-6sarge1
Version in overlay suite: 0.6.9-6sarge2

Base version: libexif_0.6.9-6sarge1
Target version: libexif_0.6.9-6sarge2
Base file: /org/ftp.debian.org/ftp/pool/main/libe/libexif/libexif_0.6.9-6sarge1.dsc
Target file: /org/ftp.debian.org/ftp/pool/main/libe/libexif/libexif_0.6.9-6sarge2.dsc

diff -u libexif-0.6.9/debian/changelog libexif-0.6.9/debian/changelog
--- libexif-0.6.9/debian/changelog
+++ libexif-0.6.9/debian/changelog
@@ -1,3 +1,9 @@
+libexif (0.6.9-6sarge2) oldstable-security; urgency=high
+
+  * Fix CVE-2007-2645, CVE-2007-6351, CVE-2007-6352
+
+ -- Moritz Muehlenhoff <jmm@debian.org>  Wed,  6 Feb 2008 00:11:59 +0100
+
 libexif (0.6.9-6sarge1) oldstable-security; urgency=high
 
    * Non-maintainer upload by The Security Team
diff -u libexif-0.6.9/libexif/exif-data.c libexif-0.6.9/libexif/exif-data.c
--- libexif-0.6.9/libexif/exif-data.c
+++ libexif-0.6.9/libexif/exif-data.c
@@ -138,6 +138,8 @@
 		doff = offset + 8;
 
 	/* Sanity check */
+	if ((doff + s < doff) || (doff + s < s))
+		return;
 	if (size < doff + s)
 		return;
 
@@ -217,10 +219,9 @@
 exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
 			       unsigned int ds, ExifLong offset, ExifLong size)
 {
-	if (ds < offset + size) {
+       if ((ds < offset + size) || (offset < 0) || (offset > ds)) {
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
-			  "Bogus thumbnail offset and size: %i < %i + %i.",
-			  (int) ds, (int) offset, (int) size);
+                         "Bogus thumbnail offset and size.");
 		return;
 	}
 	if (data->data)
only in patch2:
unchanged:
--- libexif-0.6.9.orig/libexif/exif-loader.c
+++ libexif-0.6.9/libexif/exif-loader.c
@@ -66,6 +66,9 @@
 	if (eld->state == EL_FAILED) return 0;
 	if (eld->size && eld->bytes_read == eld->size) return 0;
 
+        if (!len)
+               return 1;
+
 	exif_log (eld->log, EXIF_LOG_CODE_DEBUG, "ExifLoader",
 		  "Scanning %i byte(s) of data...", len);