Please update Exiftool. Exiftool is at version 12.30 on production release.
Among a substantial number of bugfixes, there have been multiple security vulnerabilities addressed in versions between current port version and the latest: July 9, 2021 - Version 12.29 .. - Patched a security issue May 20, 2021 - Version 12.26 (production release) .. - Patched security vulnerability in argument of -lang option Apr. 13, 2021 - Version 12.24 ... - Patched security vulnerability in DjVu reader 1) We'll need security/vuxml entries for these along with additional information from upstream on their nature, including CVE and other upstream (issue, pr, commit) reference links where available So that the security changes can be merged to quarterly branch, and given there have been some API changes in prior versions, either: - Separation/backporting of the security fixes (commits) separately and prior to the version update, OR - Confirmation that the latest version is supported by, and works with all ports that depend on it, so that the latest version can be merged to quarterly without regression.
Created attachment 231196 [details] [PATCH] graphics/p5-Image-ExifTool: update to 12.30 [PATCH] graphics/p5-Image-ExifTool: update to 12.30 ExifTool is at version 12.30 in production release. Besides minor fixes and improvements, this release is about security fixes. CVE-2021-22204 Anyone using ExifTool (Version 12.24) can be triggered with a valid image leading to arbitrary code execution, through improper neutralization of user data in the DjVu file format Other security fixes without CVE related.
Thank you for the patch Rafael. If you could take care of the addition of security/vuxml entries that would be great. If you need help with this #freebsd-ports on Libera Chat IRC or #ports on FreeBSD Discord
For sure, Kubilay! I will do this.
Created attachment 231273 [details] VuXML entry Added a new entry in VuXML, identified by VID 955f377e-7bc3-11ec-a51c-7533f219d428 It has been largely exploited in the wild. Exploit: https://github.com/se162xg/CVE-2021-22204 Also, GitLab CE/EE was vulnerable too (until 13.10.2 version), since GitLab CE/EE Preauth RCE use ExifTool. But the package is already updated in FreeBSD ports, so GitLab is no longer vulnerable. So I don't know if it's necessary to add a new entry in vuXML for GitLabCE. If so, let me know so I can add it too.
Created attachment 231433 [details] [PATCH] graphics/p5-Image-ExifTool: update to 12.30
ports-secteam, since the maintainer did not respond, please commit these changes and change the maintainer. Last commit with QA adjustment. ExifTool is at version 12.30 in production release. Besides minor fixes and improvements, this release is about security fixes. CVE-2021-22204 Anyone using ExifTool (Version 12.24) can be triggered with a valid image leading to arbitrary code execution, through improper neutralization of user data in the DjVu file format
Comment on attachment 231433 [details] [PATCH] graphics/p5-Image-ExifTool: update to 12.30 Approved by: portmgr (maintainer timeout: 21 days) @Reporter Could you please address question and decision from comment 1, namely... So that the security changes can be merged to quarterly branch, and given there have been some API changes in prior versions, either: 1) Separation/backporting of the security fixes (commits) separately and prior to the version update OR 2) Confirmation that the *latest version is supported by, and works with all ports that depend on it*, so that the latest version can be merged to quarterly without regression. At a minimum a reverse dependents build test, ideally test suite passes for reverse dependents (build tests dont necessarily pickup runtime API compatibility issues)
@koobs, my decision is under second point (2). All reverse dependents (12 in total): fgallery, fotoxx, gitlab-workhorse, hugin, npretty, p5-MojoMojo, p5-Toader, py38-mat2, py38-pdf-redact-tools, rapid-photo-downloader, recoll, renrot were builded in a Jail, to ensure an independent testing environment. After build test, 8 reverse dependencies: fgallery, hugin, npretty, py38-mat2, y38-pdf-redact-tools, rapid-photo-downloader, recoll, renrot were tested in the RunTime execution, and the test passes. So, the latest version is supported by all ports that depends on it.
ports-secteam and portmgr, please commit these changes and change the maintainer.
Moin moin Any committer could have done this change. Neither portmgr@ nor ports-secteam@ is required here. mfg Tobias
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=53cfad57e02981559cf37679830b9b49496218f3 commit 53cfad57e02981559cf37679830b9b49496218f3 Author: Rafael Grether <devnull@apt322.org> AuthorDate: 2022-01-29 17:33:17 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2022-03-25 07:06:40 +0000 graphics/p5-Image-ExifTool: update to 12.30 ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. ExifTool is at version 12.30 in production release. Besides minor fixes and improvements, this release is about security fixes. CVE-2021-22204 Anyone using ExifTool (Version 12.24) can be triggered with a valid image leading to arbitrary code execution, through improper neutralization of user data in the DjVu file format Other security fixes without CVE related. * Give maintainership to Rafael Grether Approved by: evin@sevenlayer.studio (maintainer, timeout) PR: 260590 Security: CVE-2021-22204 graphics/p5-Image-ExifTool/Makefile | 6 +++--- graphics/p5-Image-ExifTool/distinfo | 6 +++--- graphics/p5-Image-ExifTool/pkg-descr | 27 +++++++++++++++------------ graphics/p5-Image-ExifTool/pkg-plist | 14 ++++++++++++-- 4 files changed, 33 insertions(+), 20 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a7d64bf0bc13975780175e420d7b242d61daa814 commit a7d64bf0bc13975780175e420d7b242d61daa814 Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2022-03-25 07:05:40 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2022-03-25 07:06:39 +0000 security/vuxml: Document graphics/p5-Image-ExifTool vulnerability Security: CVE-2021-22204 PR: 260590 security/vuxml/vuln-2022.xml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+)
A commit in branch 2022Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=96447b146b5cb4f0eff34a16057f3b04f79538ea commit 96447b146b5cb4f0eff34a16057f3b04f79538ea Author: Rafael Grether <devnull@apt322.org> AuthorDate: 2022-01-29 17:33:17 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2022-03-25 07:08:58 +0000 graphics/p5-Image-ExifTool: update to 12.30 ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. ExifTool is at version 12.30 in production release. Besides minor fixes and improvements, this release is about security fixes. CVE-2021-22204 Anyone using ExifTool (Version 12.24) can be triggered with a valid image leading to arbitrary code execution, through improper neutralization of user data in the DjVu file format Other security fixes without CVE related. * Give maintainership to Rafael Grether Approved by: evin@sevenlayer.studio (maintainer, timeout) PR: 260590 Security: CVE-2021-22204 (cherry picked from commit 53cfad57e02981559cf37679830b9b49496218f3) graphics/p5-Image-ExifTool/Makefile | 6 +++--- graphics/p5-Image-ExifTool/distinfo | 6 +++--- graphics/p5-Image-ExifTool/pkg-descr | 27 +++++++++++++++------------ graphics/p5-Image-ExifTool/pkg-plist | 14 ++++++++++++-- 4 files changed, 33 insertions(+), 20 deletions(-)
Committed. Note: there is already a .40 release by now; So, as the new maintainer, get on it :D mfg Tobias