Bug 264618

Summary:

graphics/p5-Image-ExifTool: Update to 12.42 - (fixed security vulnerability)

Product:

Ports & Packages

Reporter:

Rafael Grether <devnull>

Component:

Individual Port(s)

Assignee:

Neel Chauhan <nc>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

nc, ports-secteam, takefu

Priority:

---

Keywords:

security

Version:

Latest

Flags:

devnull: merge-quarterly?

Hardware:

Any

OS:

Any

URL:

https://exiftool.org/history.html

See Also:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264873

Attachments:

Description	Flags
Updating-p5-Image-ExifTool-12.42	devnull: maintainer-approval+
vuXML-CVE-2022-23935	devnull: maintainer-approval+

Description Rafael Grether 2022-06-11 18:22:04 UTC

Created attachment 234623 [details]
Updating-p5-Image-ExifTool-12.42

@COMMITER, please update graphics/p5-Image-ExifTool.

There is also security vulnerability, leading to RCE.
Added entry in VuXML: CVE-2022-23935

QA tests passed.

Comment 1 Rafael Grether 2022-06-11 18:24:27 UTC

Created attachment 234624 [details]
vuXML-CVE-2022-23935

Added vuXML entry:
CVE-2022-23935
lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection

Comment 2 commit-hook freebsd_committer

2022-06-21 21:10:19 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=37712655fcaaaa0d99082c17db774f63cbd878a8

commit 37712655fcaaaa0d99082c17db774f63cbd878a8
Author:     Rafael Grether <devnull@apt322.org>
AuthorDate: 2022-06-11 17:20:18 +0000
Commit:     Neel Chauhan <nc@FreeBSD.org>
CommitDate: 2022-06-21 21:09:38 +0000

    graphics/p5-Image-ExifTool: Update to 12.42

    PR:             264618
    MFH:            2022Q2 (security blanket)
    Security:       CVE-2022-23935

 graphics/p5-Image-ExifTool/Makefile  | 2 +-
 graphics/p5-Image-ExifTool/distinfo  | 6 +++---
 graphics/p5-Image-ExifTool/pkg-plist | 2 ++
 3 files changed, 6 insertions(+), 4 deletions(-)

Comment 3 commit-hook freebsd_committer

2022-06-21 21:10:20 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d1a91ac3af2def2af574b9d6266ead4811aaf6fd

commit d1a91ac3af2def2af574b9d6266ead4811aaf6fd
Author:     Rafael Grether <devnull@apt322.org>
AuthorDate: 2022-06-21 21:05:51 +0000
Commit:     Neel Chauhan <nc@FreeBSD.org>
CommitDate: 2022-06-21 21:09:38 +0000

    graphics/p5-Image-ExifTool: Add an vuxml entry for update 12.42

    PR:     264618

 security/vuxml/vuln-2022.xml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

Comment 4 Neel Chauhan freebsd_committer

2022-06-21 21:10:58 UTC

Committed and MFH'd!

Comment 5 commit-hook freebsd_committer

2022-06-21 21:11:21 UTC

A commit in branch 2022Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=294ffa9e571f7489af1b75cc82dba8941772d02c

commit 294ffa9e571f7489af1b75cc82dba8941772d02c
Author:     Rafael Grether <devnull@apt322.org>
AuthorDate: 2022-06-11 17:20:18 +0000
Commit:     Neel Chauhan <nc@FreeBSD.org>
CommitDate: 2022-06-21 21:10:35 +0000

    graphics/p5-Image-ExifTool: Update to 12.42

    PR:             264618
    MFH:            2022Q2 (security blanket)
    Security:       CVE-2022-23935
    (cherry picked from commit 37712655fcaaaa0d99082c17db774f63cbd878a8)

 graphics/p5-Image-ExifTool/Makefile  | 2 +-
 graphics/p5-Image-ExifTool/distinfo  | 6 +++---
 graphics/p5-Image-ExifTool/pkg-plist | 2 ++
 3 files changed, 6 insertions(+), 4 deletions(-)

Comment 6 takefu 2022-06-22 06:42:10 UTC

*** Bug 262414 has been marked as a duplicate of this bug. ***