Bug 255803

Summary: graphics/p5-Image-ExifTool: Update to 12.26 (Fixes multiple security vulnerabilities)
Product: Ports & Packages Reporter: Mark Felder <feld>
Component: Individual Port(s)Assignee: Mark Felder <feld>
Status: Open ---    
Severity: Affects Many People CC: devin, lwhsu, ports-secteam, takefu
Priority: Normal Keywords: needs-patch, needs-qa
Version: LatestFlags: bugzilla: maintainer-feedback? (devin)
koobs: merge-quarterly?
Hardware: Any   
OS: Any   
URL: https://exiftool.org/history.html#v12.26
Attachments:
Description Flags
exiftool patch
none
p5-Image-ExifTool-12.16.patch
none
p5-Image-ExifTool-12.16.patch none

Description Mark Felder freebsd_committer 2021-05-11 21:24:20 UTC
Created attachment 224861 [details]
exiftool patch

I only suggest we bump to 12.25 which is a development release instead of the latest production release because there is a severe security bug that has only been fixed in development releases.

https://exiftool.org/history.html  <-- still lists 12.16 as latest

https://seclists.org/oss-sec/2021/q2/114

I am told that this is exploitable with specially crafted files that are not DJVU -- like common formats of JPEG, PNG, etc -- but I haven't found a public PoC for that.
Comment 1 Li-Wen Hsu freebsd_committer 2021-05-12 11:52:39 UTC
Submitter is a committer.
Comment 2 takefu 2021-05-20 12:17:42 UTC
Created attachment 225118 [details]
p5-Image-ExifTool-12.16.patch

Jan. 21, 2021 - Version 12.16 (production release)

https://exiftool.org/history.html#v12.16
Comment 3 Mark Felder freebsd_committer 2021-05-20 15:54:46 UTC
(In reply to takefu from comment #2)

but this version is still vulnerable... we shouldn't push a new release missing an important security fix.
Comment 4 takefu 2021-05-21 15:16:22 UTC
Created attachment 225152 [details]
p5-Image-ExifTool-12.16.patch

fix CVE-2021-22204
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2021-05-22 01:05:09 UTC
*** Bug 256028 has been marked as a duplicate of this bug. ***