diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog	2019-02-10 13:59:33.000000000 +0000
+++ libexif-0.6.21/debian/changelog	2020-02-11 12:28:46.000000000 +0000
@@ -1,3 +1,13 @@
+libexif (0.6.21-5.1ubuntu0.1) eoan-security; urgency=medium
+
+  * SECURITY UPDATE: Out of bounds write
+    - debian/patches/CVE-2019-9278.patch: avoid the use of unsafe int overflow
+      checking constructs and check for the actual sizes to avoid integer
+      overflows in libexif/exif-data.c.
+    - CVE-2019-9278
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Tue, 11 Feb 2020 09:28:46 -0300
+
 libexif (0.6.21-5.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libexif-0.6.21/debian/control libexif-0.6.21/debian/control
--- libexif-0.6.21/debian/control	2019-02-10 13:59:33.000000000 +0000
+++ libexif-0.6.21/debian/control	2020-02-11 12:28:46.000000000 +0000
@@ -1,7 +1,8 @@
 Source: libexif
 Section: libs
 Priority: optional
-Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
 Uploaders: Emmanuel Bouthenot <kolter@debian.org>, Frederic Peters <fpeters@debian.org>
 Build-Depends:
     debhelper (>= 11~),
diff -Nru libexif-0.6.21/debian/patches/CVE-2019-9278.patch libexif-0.6.21/debian/patches/CVE-2019-9278.patch
--- libexif-0.6.21/debian/patches/CVE-2019-9278.patch	1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/CVE-2019-9278.patch	2020-02-11 12:28:38.000000000 +0000
@@ -0,0 +1,85 @@
+From 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Sat, 18 Jan 2020 09:29:42 +0100
+Subject: [PATCH] fix CVE-2019-9278
+
+avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away)
+
+check for the actual sizes, which should also handle the overflows
+document other places google patched, but do not seem relevant due to other restrictions
+
+fixes https://github.com/libexif/libexif/issues/26
+---
+ libexif/exif-data.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+Index: libexif-0.6.21/libexif/exif-data.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/exif-data.c
++++ libexif-0.6.21/libexif/exif-data.c
+@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *dat
+ 		doff = offset + 8;
+ 
+ 	/* Sanity checks */
+-	if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
++	if (doff >= size) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+-				  "Tag data past end of buffer (%u > %u)", doff+s, size);	
++				  "Tag starts past end of buffer (%u > %u)", doff, size);
++		return 0;
++	}
++
++	if (s > size - doff) {
++		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
++				  "Tag data goes past end of buffer (%u > %u)", doff+s, size);
+ 		return 0;
+ 	}
+ 
+@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData
+ 			       unsigned int ds, ExifLong o, ExifLong s)
+ {
+ 	/* Sanity checks */
+-	if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
+-		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+-			  "Bogus thumbnail offset (%u) or size (%u).",
+-			  o, s);
++	if (o >= ds) {
++		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
++		return;
++	}
++	if (s > ds - o) {
++		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+ 		return;
+ 	}
+-
+ 	if (data->data) 
+ 		exif_mem_free (data->priv->mem, data->data);
+ 	if (!(data->data = exif_data_alloc (data, s))) {
+@@ -938,7 +945,7 @@ exif_data_load_data (ExifData *data, con
+ 	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", 
+ 		  "IFD 0 at %i.", (int) offset);
+ 
+-	/* Sanity check the offset, being careful about overflow */
++	/* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */
+ 	if (offset > ds || offset + 6 + 2 > ds)
+ 		return;
+ 
+@@ -947,6 +954,7 @@ exif_data_load_data (ExifData *data, con
+ 
+ 	/* IFD 1 offset */
+ 	n = exif_get_short (d + 6 + offset, data->priv->order);
++	/* offset < 2<<16, n is 16 bit at most, so this op will not overflow */
+ 	if (offset + 6 + 2 + 12 * n + 4 > ds)
+ 		return;
+ 
+@@ -955,8 +963,8 @@ exif_data_load_data (ExifData *data, con
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ 			  "IFD 1 at %i.", (int) offset);
+ 
+-		/* Sanity check. */
+-		if (offset > ds || offset + 6 > ds) {
++		/* Sanity check. ds is ensured to be above 6 above, offset is 16bit */
++		if (offset > ds - 6) {
+ 			exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ 				  "ExifData", "Bogus offset of IFD1.");
+ 		} else {
diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series
--- libexif-0.6.21/debian/patches/series	2019-02-10 13:59:33.000000000 +0000
+++ libexif-0.6.21/debian/patches/series	2020-02-11 12:28:33.000000000 +0000
@@ -7,3 +7,4 @@
 fix-size_t-warnings.patch
 Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch
 Improve-deep-recursion-detection-in-exif_data_load_d.patch
+CVE-2019-9278.patch