Created attachment 226029 [details] Patch for exiv2 Update exiv2 to 0.27.4 Addressed CVEs (compared to 0.27.3 unpatched) CVE-2021-29457 CVE-2021-29458 CVE-2021-29463 CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623 CVE-2021-32617 CVE-2021-3482 Backport commit c069e36605f05e8e58bf964e5ecbde04efb90a20 to fix compilation with Googletest >= 1.11.0 Compile tested on 13.0-STABLE #0 stable/13-n245227-5ec4eb443e8 (amd64) (make, make check-plist, make test) Poudriere testport OK 12.2-RELEASE (amd64) Poudriere testport OK 11.4-RELEASE (amd64)
I also briefly tested this with Gerbera and it appears to work fine
I'll try to write up a vuxml entry in a few days unless someone beats me to it.
Created attachment 226137 [details] VuXML entry VuXML entry
Moin moin multimedia@ would like to ask for an exp-run of the attached patch. mfg Tobias
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0e1cf83190b530cb73a9c086a4a2ca1d30776996 commit 0e1cf83190b530cb73a9c086a4a2ca1d30776996 Author: Daniel Engberg <daniel.engberg.lists@pyret.net> AuthorDate: 2021-07-04 20:55:14 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-07-04 20:55:52 +0000 security/vuxml: document vulnerabilities in graphics/exiv2 PR: 256803 security/vuxml/vuln-2021.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+)
Exp-run looks fine
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0317bd0d24c06dd611c764b237462c62c4b92e95 commit 0317bd0d24c06dd611c764b237462c62c4b92e95 Author: Daniel Engberg <daniel.engberg.lists@pyret.net> AuthorDate: 2021-07-06 20:06:33 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-07-06 20:11:41 +0000 graphics/exiv2: update to 0.27.4 Exiv2 v0.27.4 Features: 1. bmff support (.CR3, .AVIF, .HEIC, .HIF, .JXL/bmff) files. 2. Rewrite 0.27 bash test scripts in python. 3. Support for Exif 2.32 and DNG 1.6. 4. Crowdin Localisation Support 5. Completion of Image Metadata and Exiv2 Architecture https://clanmills.com/exiv2/book/ 6. Improved documentation. 7. Various minor bugs and fixes. 8. RC3 issued to deal with 12 security issues. After 18 months without a CVE, we were attacked between RC2 and GM. 9. Security policy defined and published on GitHub. PR: 256803 Exp-run by: antoine graphics/exiv2/Makefile | 6 +++-- graphics/exiv2/distinfo | 6 ++--- .../files/patch-cmake_compilerFlags.cmake (gone) | 15 ----------- ...-c069e36605f05e8e58bf964e5ecbde04efb90a20 (new) | 30 ++++++++++++++++++++++ graphics/exiv2/pkg-plist | 4 +-- 5 files changed, 39 insertions(+), 22 deletions(-)
A commit in branch 2021Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=febddefea7957e6c49d7608af398aa12413e3068 commit febddefea7957e6c49d7608af398aa12413e3068 Author: Daniel Engberg <daniel.engberg.lists@pyret.net> AuthorDate: 2021-07-06 20:06:33 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-07-06 20:12:27 +0000 graphics/exiv2: update to 0.27.4 Exiv2 v0.27.4 Features: 1. bmff support (.CR3, .AVIF, .HEIC, .HIF, .JXL/bmff) files. 2. Rewrite 0.27 bash test scripts in python. 3. Support for Exif 2.32 and DNG 1.6. 4. Crowdin Localisation Support 5. Completion of Image Metadata and Exiv2 Architecture https://clanmills.com/exiv2/book/ 6. Improved documentation. 7. Various minor bugs and fixes. 8. RC3 issued to deal with 12 security issues. After 18 months without a CVE, we were attacked between RC2 and GM. 9. Security policy defined and published on GitHub. PR: 256803 Exp-run by: antoine (cherry picked from commit 0317bd0d24c06dd611c764b237462c62c4b92e95) graphics/exiv2/Makefile | 6 +++-- graphics/exiv2/distinfo | 6 ++--- .../files/patch-cmake_compilerFlags.cmake (gone) | 15 ----------- ...-c069e36605f05e8e58bf964e5ecbde04efb90a20 (new) | 30 ++++++++++++++++++++++ graphics/exiv2/pkg-plist | 4 +-- 5 files changed, 39 insertions(+), 22 deletions(-)
Committed, thanks for the patch and for the exp-run.