diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog	2014-08-24 21:53:25.000000000 +0000
+++ libexif-0.6.21/debian/changelog	2020-02-11 12:12:16.000000000 +0000
@@ -1,3 +1,22 @@
+libexif (0.6.21-2ubuntu0.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Integer overflow
+    - debian/patches/CVE-2016-6328.patch: fix int overflow while parsing
+      MNOTE entry data of the input file in
+      libexif/pentax/mnote-pentax-entry.c
+    - CVE-2016-6328
+  * SECURITY UPDATE: Out-bouns heap read and denial of service
+    - debian/patches/CVE-2017-7544.patch: fixes out-of-bounds heap read
+      in exif_data_save_data_entry function in libexif/exif-data.c.
+    - CVE-2017-7544
+  * SECURITY UPDATE: Out of bounds write
+    - debian/patches/CVE-2019-9278.patch: avoid the use of unsafe int overflow
+      checking constructs and check for the actual sizes to avoid integer
+      overflows in libexif/exif-data.c.
+    - CVE-2019-9278
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Tue, 11 Feb 2020 09:10:54 -0300
+
 libexif (0.6.21-2) unstable; urgency=medium
 
   * Use autoreconf instead of autotools-dev (Closes: #754399)
diff -Nru libexif-0.6.21/debian/control libexif-0.6.21/debian/control
--- libexif-0.6.21/debian/control	2014-08-24 19:34:39.000000000 +0000
+++ libexif-0.6.21/debian/control	2020-02-11 12:12:20.000000000 +0000
@@ -1,7 +1,8 @@
 Source: libexif
 Section: libs
 Priority: optional
-Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
 Uploaders: Emmanuel Bouthenot <kolter@debian.org>, Frederic Peters <fpeters@debian.org>
 Build-Depends:
     debhelper (>= 9),
diff -Nru libexif-0.6.21/debian/patches/CVE-2016-6328.patch libexif-0.6.21/debian/patches/CVE-2016-6328.patch
--- libexif-0.6.21/debian/patches/CVE-2016-6328.patch	1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/CVE-2016-6328.patch	2020-02-11 12:10:35.000000000 +0000
@@ -0,0 +1,52 @@
+Description: Fixes an integer overflow while parsing the MNOTE entry data of the input file (CVE-2016-6328)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/873022
+Last-Update: 2017-07-25
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index 7e97c2c..dcb1560 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
++++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		case EXIF_FORMAT_SHORT:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 2)
++					break;
+ 				vs = exif_get_short (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%i ", vs);
+ 				len = strlen(val);
+ 				data += 2;
++				sizeleft -= 2;
+ 			}
+ 		  }
+ 		  break;
+ 		case EXIF_FORMAT_LONG:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 4)
++					break;
+ 				vl = exif_get_long (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ 				len = strlen(val);
+ 				data += 4;
++				sizeleft -= 4;
+ 			}
+ 		  }
+ 		  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		break;
+ 	}
+ 
+-	return (val);
++	return val;
+ }
diff -Nru libexif-0.6.21/debian/patches/CVE-2017-7544.patch libexif-0.6.21/debian/patches/CVE-2017-7544.patch
--- libexif-0.6.21/debian/patches/CVE-2017-7544.patch	1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/CVE-2017-7544.patch	2020-02-11 12:10:41.000000000 +0000
@@ -0,0 +1,21 @@
+Description: Fixes an out-of-bounds heap read in the exif_data_save_data_entry function (CVE-2017-7544)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/876466
+Last-Update: 2017-07-04
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 67df4db..91f4c33 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
+ 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ 			e->components = e->size;
++			if (exif_format_get_size (e->format) != 1) {
++				/* e->format is taken from input code,
++				 * but we need to make sure it is a 1 byte
++				 * entity due to the multiplication below. */
++				e->format = EXIF_FORMAT_UNDEFINED;
++			}
+ 		}
+ 	}
+ 
diff -Nru libexif-0.6.21/debian/patches/CVE-2019-9278.patch libexif-0.6.21/debian/patches/CVE-2019-9278.patch
--- libexif-0.6.21/debian/patches/CVE-2019-9278.patch	1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/CVE-2019-9278.patch	2020-02-11 12:10:45.000000000 +0000
@@ -0,0 +1,81 @@
+From 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Sat, 18 Jan 2020 09:29:42 +0100
+Subject: [PATCH] fix CVE-2019-9278
+
+avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away)
+
+check for the actual sizes, which should also handle the overflows
+document other places google patched, but do not seem relevant due to other restrictions
+
+fixes https://github.com/libexif/libexif/issues/26
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 91f4c33..bc70b5d 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -191,9 +191,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry,
+ 		doff = offset + 8;
+ 
+ 	/* Sanity checks */
+-	if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
++	if (doff >= size) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+-				  "Tag data past end of buffer (%u > %u)", doff+s, size);	
++				  "Tag starts past end of buffer (%u > %u)", doff, size);
++		return 0;
++	}
++
++	if (s > size - doff) {
++		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
++				  "Tag data goes past end of buffer (%u > %u)", doff+s, size);
+ 		return 0;
+ 	}
+ 
+@@ -314,13 +320,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+ 			       unsigned int ds, ExifLong o, ExifLong s)
+ {
+ 	/* Sanity checks */
+-	if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
+-		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+-			  "Bogus thumbnail offset (%u) or size (%u).",
+-			  o, s);
++	if (o >= ds) {
++		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
++		return;
++	}
++	if (s > ds - o) {
++		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+ 		return;
+ 	}
+-
+ 	if (data->data) 
+ 		exif_mem_free (data->priv->mem, data->data);
+ 	if (!(data->data = exif_data_alloc (data, s))) {
+@@ -909,7 +916,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ 	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", 
+ 		  "IFD 0 at %i.", (int) offset);
+ 
+-	/* Sanity check the offset, being careful about overflow */
++	/* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */
+ 	if (offset > ds || offset + 6 + 2 > ds)
+ 		return;
+ 
+@@ -918,6 +925,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ 
+ 	/* IFD 1 offset */
+ 	n = exif_get_short (d + 6 + offset, data->priv->order);
++	/* offset < 2<<16, n is 16 bit at most, so this op will not overflow */
+ 	if (offset + 6 + 2 + 12 * n + 4 > ds)
+ 		return;
+ 
+@@ -926,8 +934,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ 			  "IFD 1 at %i.", (int) offset);
+ 
+-		/* Sanity check. */
+-		if (offset > ds || offset + 6 > ds) {
++		/* Sanity check. ds is ensured to be above 6 above, offset is 16bit */
++		if (offset > ds - 6) {
+ 			exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ 				  "ExifData", "Bogus offset of IFD1.");
+ 		} else {
diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series
--- libexif-0.6.21/debian/patches/series	2013-01-26 15:46:30.000000000 +0000
+++ libexif-0.6.21/debian/patches/series	2020-02-11 12:10:45.000000000 +0000
@@ -1,2 +1,5 @@
 pkg_config_header_dir
 extra_colorspace_check
+CVE-2016-6328.patch
+CVE-2017-7544.patch
+CVE-2019-9278.patch