Bug 255803 - graphics/p5-Image-ExifTool: Update to 12.26 (Fixes multiple security vulnerabilities)
Summary: graphics/p5-Image-ExifTool: Update to 12.26 (Fixes multiple security vulnerab...
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Mark Felder
URL: https://exiftool.org/history.html#v12.26
Keywords: needs-patch, needs-qa
: 256028 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-05-11 21:24 UTC by Mark Felder
Modified: 2021-05-22 01:07 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (devin)
koobs: merge-quarterly?


Attachments
exiftool patch (3.01 KB, patch)
2021-05-11 21:24 UTC, Mark Felder
no flags Details | Diff
p5-Image-ExifTool-12.16.patch (2.88 KB, patch)
2021-05-20 12:17 UTC, takefu
no flags Details | Diff
p5-Image-ExifTool-12.16.patch (5.69 KB, patch)
2021-05-21 15:16 UTC, takefu
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Felder freebsd_committer 2021-05-11 21:24:20 UTC
Created attachment 224861 [details]
exiftool patch

I only suggest we bump to 12.25 which is a development release instead of the latest production release because there is a severe security bug that has only been fixed in development releases.

https://exiftool.org/history.html  <-- still lists 12.16 as latest

https://seclists.org/oss-sec/2021/q2/114

I am told that this is exploitable with specially crafted files that are not DJVU -- like common formats of JPEG, PNG, etc -- but I haven't found a public PoC for that.
Comment 1 Li-Wen Hsu freebsd_committer 2021-05-12 11:52:39 UTC
Submitter is a committer.
Comment 2 takefu 2021-05-20 12:17:42 UTC
Created attachment 225118 [details]
p5-Image-ExifTool-12.16.patch

Jan. 21, 2021 - Version 12.16 (production release)

https://exiftool.org/history.html#v12.16
Comment 3 Mark Felder freebsd_committer 2021-05-20 15:54:46 UTC
(In reply to takefu from comment #2)

but this version is still vulnerable... we shouldn't push a new release missing an important security fix.
Comment 4 takefu 2021-05-21 15:16:22 UTC
Created attachment 225152 [details]
p5-Image-ExifTool-12.16.patch

fix CVE-2021-22204
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2021-05-22 01:05:09 UTC
*** Bug 256028 has been marked as a duplicate of this bug. ***