255803 – graphics/p5-Image-ExifTool: Update to 12.26 (Fixes multiple security vulnerabilities)

Bug 255803 - graphics/p5-Image-ExifTool: Update to 12.26 (Fixes multiple security vulnerabilities)

Summary: graphics/p5-Image-ExifTool: Update to 12.26 (Fixes multiple security vulnerab...

Status:	Closed Overcome By Events

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Mark Felder

URL:	https://exiftool.org/history.html#v12.26
Keywords:	needs-patch, needs-qa

Duplicates (1):	256028 (view as bug list)
Depends on:
Blocks:

Reported:	2021-05-11 21:24 UTC by Mark Felder
Modified:	2022-06-24 15:43 UTC (History)
CC List:	5 users (show)

See Also:

Flags:	takefu: maintainer-feedback-

Attachments
exiftool patch (3.01 KB, patch) 2021-05-11 21:24 UTC, Mark Felder	no flags	Details \| Diff
p5-Image-ExifTool-12.16.patch (2.88 KB, patch) 2021-05-20 12:17 UTC, takefu	no flags	Details \| Diff
p5-Image-ExifTool-12.16.patch (5.69 KB, patch) 2021-05-21 15:16 UTC, takefu	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Felder freebsd_committer

2021-05-11 21:24:20 UTC

Created attachment 224861 [details]
exiftool patch

I only suggest we bump to 12.25 which is a development release instead of the latest production release because there is a severe security bug that has only been fixed in development releases.

https://exiftool.org/history.html  <-- still lists 12.16 as latest

https://seclists.org/oss-sec/2021/q2/114

I am told that this is exploitable with specially crafted files that are not DJVU -- like common formats of JPEG, PNG, etc -- but I haven't found a public PoC for that.

Comment 1 Li-Wen Hsu freebsd_committer

2021-05-12 11:52:39 UTC

Submitter is a committer.

Comment 2 takefu 2021-05-20 12:17:42 UTC

Created attachment 225118 [details]
p5-Image-ExifTool-12.16.patch

Jan. 21, 2021 - Version 12.16 (production release)

https://exiftool.org/history.html#v12.16

Comment 3 Mark Felder freebsd_committer

2021-05-20 15:54:46 UTC

(In reply to takefu from comment #2)

but this version is still vulnerable... we shouldn't push a new release missing an important security fix.

Comment 4 takefu 2021-05-21 15:16:22 UTC

Created attachment 225152 [details]
p5-Image-ExifTool-12.16.patch

fix CVE-2021-22204

Comment 5 Kubilay Kocak freebsd_committer

2021-05-22 01:05:09 UTC

*** Bug 256028 has been marked as a duplicate of this bug. ***

Comment 6 takefu 2022-03-08 10:03:21 UTC

Update to 12.30
  bug#260590

Comment 7 takefu 2022-06-22 06:44:07 UTC

dup Bug#264618

Comment 8 Rafael Grether 2022-06-24 15:12:24 UTC

@COMMITER, Please close this PR.

This port already updated in Bug#264618