Bug 255803

Summary: graphics/p5-Image-ExifTool: Update to 12.26 (Fixes multiple security vulnerabilities)
Product: Ports & Packages Reporter: Mark Felder <feld>
Component: Individual Port(s)Assignee: Mark Felder <feld>
Status: Closed Overcome By Events    
Severity: Affects Many People CC: devin, devnull, lwhsu, ports-secteam, takefu
Priority: Normal Keywords: needs-patch, needs-qa
Version: LatestFlags: takefu: maintainer-feedback-
Hardware: Any   
OS: Any   
URL: https://exiftool.org/history.html#v12.26
Attachments:
Description Flags
exiftool patch
none
p5-Image-ExifTool-12.16.patch
none
p5-Image-ExifTool-12.16.patch none

Description Mark Felder freebsd_committer freebsd_triage 2021-05-11 21:24:20 UTC 
Created attachment 224861 [details]
exiftool patch

I only suggest we bump to 12.25 which is a development release instead of the latest production release because there is a severe security bug that has only been fixed in development releases.

https://exiftool.org/history.html  <-- still lists 12.16 as latest

https://seclists.org/oss-sec/2021/q2/114

I am told that this is exploitable with specially crafted files that are not DJVU -- like common formats of JPEG, PNG, etc -- but I haven't found a public PoC for that.
Comment 1 Li-Wen Hsu freebsd_committer freebsd_triage 2021-05-12 11:52:39 UTC 
Submitter is a committer.
Comment 2 takefu 2021-05-20 12:17:42 UTC 
Created attachment 225118 [details]
p5-Image-ExifTool-12.16.patch

Jan. 21, 2021 - Version 12.16 (production release)

https://exiftool.org/history.html#v12.16
Comment 3 Mark Felder freebsd_committer freebsd_triage 2021-05-20 15:54:46 UTC 
(In reply to takefu from comment #2)

but this version is still vulnerable... we shouldn't push a new release missing an important security fix.
Comment 4 takefu 2021-05-21 15:16:22 UTC 
Created attachment 225152 [details]
p5-Image-ExifTool-12.16.patch

fix CVE-2021-22204
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2021-05-22 01:05:09 UTC 
*** Bug 256028 has been marked as a duplicate of this bug. ***
Comment 6 takefu 2022-03-08 10:03:21 UTC 
Update to 12.30
  bug#260590
Comment 7 takefu 2022-06-22 06:44:07 UTC 
dup Bug#264618
Comment 8 Rafael Grether 2022-06-24 15:12:24 UTC 
@COMMITER, Please close this PR.

This port already updated in Bug#264618