|Summary:||graphics/p5-Image-ExifTool: Update to 12.26 (Fixes multiple security vulnerabilities)|
|Product:||Ports & Packages||Reporter:||Mark Felder <feld>|
|Component:||Individual Port(s)||Assignee:||Mark Felder <feld>|
|Severity:||Affects Many People||CC:||devin, lwhsu, ports-secteam, takefu|
Description Mark Felder 2021-05-11 21:24:20 UTC
Created attachment 224861 [details] exiftool patch I only suggest we bump to 12.25 which is a development release instead of the latest production release because there is a severe security bug that has only been fixed in development releases. https://exiftool.org/history.html <-- still lists 12.16 as latest https://seclists.org/oss-sec/2021/q2/114 I am told that this is exploitable with specially crafted files that are not DJVU -- like common formats of JPEG, PNG, etc -- but I haven't found a public PoC for that.
Comment 1 Li-Wen Hsu 2021-05-12 11:52:39 UTC
Submitter is a committer.
Comment 2 takefu 2021-05-20 12:17:42 UTC
Created attachment 225118 [details] p5-Image-ExifTool-12.16.patch Jan. 21, 2021 - Version 12.16 (production release) https://exiftool.org/history.html#v12.16
Comment 3 Mark Felder 2021-05-20 15:54:46 UTC
(In reply to takefu from comment #2) but this version is still vulnerable... we shouldn't push a new release missing an important security fix.
Comment 4 takefu 2021-05-21 15:16:22 UTC
Created attachment 225152 [details] p5-Image-ExifTool-12.16.patch fix CVE-2021-22204