Bug 264618 - graphics/p5-Image-ExifTool: Update to 12.42 - (fixed security vulnerability)
Summary: graphics/p5-Image-ExifTool: Update to 12.42 - (fixed security vulnerability)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Neel Chauhan
URL: https://exiftool.org/history.html
Keywords: security
: 262414 (view as bug list)
Depends on:
Blocks:
 
Reported: 2022-06-11 18:22 UTC by Rafael Grether
Modified: 2022-06-24 15:23 UTC (History)
3 users (show)

See Also:
devnull: merge-quarterly?

Attachments
Updating-p5-Image-ExifTool-12.42 (2.69 KB, patch)
2022-06-11 18:22 UTC, Rafael Grether 		devnull: maintainer-approval+
Details | Diff
vuXML-CVE-2022-23935 (1.63 KB, patch)
2022-06-11 18:24 UTC, Rafael Grether 		devnull: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rafael Grether 2022-06-11 18:22:04 UTC 
Created attachment 234623 [details]
Updating-p5-Image-ExifTool-12.42

@COMMITER, please update graphics/p5-Image-ExifTool.

There is also security vulnerability, leading to RCE.
Added entry in VuXML: CVE-2022-23935

QA tests passed.
Comment 1 Rafael Grether 2022-06-11 18:24:27 UTC 
Created attachment 234624 [details]
vuXML-CVE-2022-23935

Added vuXML entry:
CVE-2022-23935
lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection
Comment 2 commit-hook freebsd_committer freebsd_triage 2022-06-21 21:10:19 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=37712655fcaaaa0d99082c17db774f63cbd878a8

commit 37712655fcaaaa0d99082c17db774f63cbd878a8
Author:     Rafael Grether <devnull@apt322.org>
AuthorDate: 2022-06-11 17:20:18 +0000
Commit:     Neel Chauhan <nc@FreeBSD.org>
CommitDate: 2022-06-21 21:09:38 +0000

    graphics/p5-Image-ExifTool: Update to 12.42

    PR:             264618
    MFH:            2022Q2 (security blanket)
    Security:       CVE-2022-23935

 graphics/p5-Image-ExifTool/Makefile  | 2 +-
 graphics/p5-Image-ExifTool/distinfo  | 6 +++---
 graphics/p5-Image-ExifTool/pkg-plist | 2 ++
 3 files changed, 6 insertions(+), 4 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2022-06-21 21:10:20 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d1a91ac3af2def2af574b9d6266ead4811aaf6fd

commit d1a91ac3af2def2af574b9d6266ead4811aaf6fd
Author:     Rafael Grether <devnull@apt322.org>
AuthorDate: 2022-06-21 21:05:51 +0000
Commit:     Neel Chauhan <nc@FreeBSD.org>
CommitDate: 2022-06-21 21:09:38 +0000

    graphics/p5-Image-ExifTool: Add an vuxml entry for update 12.42

    PR:     264618

 security/vuxml/vuln-2022.xml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
Comment 4 Neel Chauhan freebsd_committer freebsd_triage 2022-06-21 21:10:58 UTC 
Committed and MFH'd!
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-06-21 21:11:21 UTC 
A commit in branch 2022Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=294ffa9e571f7489af1b75cc82dba8941772d02c

commit 294ffa9e571f7489af1b75cc82dba8941772d02c
Author:     Rafael Grether <devnull@apt322.org>
AuthorDate: 2022-06-11 17:20:18 +0000
Commit:     Neel Chauhan <nc@FreeBSD.org>
CommitDate: 2022-06-21 21:10:35 +0000

    graphics/p5-Image-ExifTool: Update to 12.42

    PR:             264618
    MFH:            2022Q2 (security blanket)
    Security:       CVE-2022-23935
    (cherry picked from commit 37712655fcaaaa0d99082c17db774f63cbd878a8)

 graphics/p5-Image-ExifTool/Makefile  | 2 +-
 graphics/p5-Image-ExifTool/distinfo  | 6 +++---
 graphics/p5-Image-ExifTool/pkg-plist | 2 ++
 3 files changed, 6 insertions(+), 4 deletions(-)
Comment 6 takefu 2022-06-22 06:42:10 UTC 
*** Bug 262414 has been marked as a duplicate of this bug. ***