Bug 260590 - URGENT graphics/p5-Image-ExifTool security update needs commit since February, Request MAINTAINER'ship
Summary: URGENT graphics/p5-Image-ExifTool security update needs commit since February...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Tobias C. Berner
URL: https://metacpan.org/dist/Image-ExifT...
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-12-21 15:23 UTC by Rafael Grether
Modified: 2022-03-25 07:10 UTC (History)
7 users (show)

See Also:
devnull: maintainer-feedback-
tcberner: merge-quarterly+


Attachments
[PATCH] graphics/p5-Image-ExifTool: update to 12.30 (9.53 KB, patch)
2022-01-20 23:19 UTC, Rafael Grether
no flags Details | Diff
VuXML entry (954 bytes, text/plain)
2022-01-24 14:47 UTC, Rafael Grether
no flags Details
[PATCH] graphics/p5-Image-ExifTool: update to 12.30 (8.53 KB, patch)
2022-01-29 17:53 UTC, Rafael Grether
koobs: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Rafael Grether 2021-12-21 15:23:59 UTC
Please update Exiftool. Exiftool is at version 12.30 on production release.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2022-01-19 00:28:48 UTC
Among a substantial number of bugfixes, there have been multiple security vulnerabilities addressed in versions between current port version and the latest:

July 9, 2021 - Version 12.29
..
  - Patched a security issue
May 20, 2021 - Version 12.26 (production release)
..
  - Patched security vulnerability in argument of -lang option
Apr. 13, 2021 - Version 12.24
...
  - Patched security vulnerability in DjVu reader

1) We'll need security/vuxml entries for these along with additional information from upstream on their nature, including CVE and other upstream (issue, pr, commit) reference links where available

So that the security changes can be merged to quarterly branch, and given there have been some API changes in prior versions, either:

- Separation/backporting of the security fixes (commits) separately and prior to the version update, OR

- Confirmation that the latest version is supported by, and works with all ports that depend on it, so that the latest version can be merged to quarterly without regression.
Comment 2 Rafael Grether 2022-01-20 23:19:40 UTC
Created attachment 231196 [details]
[PATCH] graphics/p5-Image-ExifTool: update to 12.30

[PATCH] graphics/p5-Image-ExifTool: update to 12.30

 ExifTool is at version 12.30 in production release.
 Besides minor fixes and improvements, this release is about security fixes.

 CVE-2021-22204
 Anyone using ExifTool (Version 12.24) can be triggered with a valid image
 leading to arbitrary code execution, through
 improper neutralization of user data in the DjVu file format

 Other security fixes without CVE related.
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2022-01-21 23:40:36 UTC
Thank you for the patch Rafael. If you could take care of the addition of security/vuxml entries that would be great. If you need help with this #freebsd-ports on Libera Chat IRC or #ports on FreeBSD Discord
Comment 4 Rafael Grether 2022-01-22 20:03:04 UTC
For sure, Kubilay! I will do this.
Comment 5 Rafael Grether 2022-01-24 14:47:56 UTC
Created attachment 231273 [details]
VuXML entry

Added a new entry in VuXML, identified by VID 955f377e-7bc3-11ec-a51c-7533f219d428

It has been largely exploited in the wild.
Exploit: https://github.com/se162xg/CVE-2021-22204

Also, GitLab CE/EE was vulnerable too (until 13.10.2 version), since GitLab CE/EE Preauth RCE use ExifTool. But the package is already updated in FreeBSD ports, so GitLab is no longer vulnerable.
So I don't know if it's necessary to add a new entry in vuXML for GitLabCE. If so, let me know so I can add it too.
Comment 6 Rafael Grether 2022-01-29 17:53:34 UTC
Created attachment 231433 [details]
[PATCH] graphics/p5-Image-ExifTool: update to 12.30
Comment 7 Rafael Grether 2022-01-29 17:58:32 UTC
ports-secteam, since the maintainer did not respond, please commit these changes and change the maintainer.

Last commit with QA adjustment.

ExifTool is at version 12.30 in production release.
Besides minor fixes and improvements, this release is about security fixes.

CVE-2021-22204
Anyone using ExifTool (Version 12.24) can be triggered with a valid image
leading to arbitrary code execution, through
improper neutralization of user data in the DjVu file format
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2022-02-09 23:56:16 UTC
Comment on attachment 231433 [details]
[PATCH] graphics/p5-Image-ExifTool: update to 12.30

Approved by: portmgr (maintainer timeout: 21 days)

@Reporter Could you please address question and decision from comment 1, namely...

So that the security changes can be merged to quarterly branch, and given there have been some API changes in prior versions, either:

1) Separation/backporting of the security fixes (commits) separately and prior to the version update

OR 

2) Confirmation that the *latest version is supported by, and works with all ports that depend on it*, so that the latest version can be merged to quarterly without regression.

At a minimum a reverse dependents build test, ideally test suite passes for reverse dependents (build tests dont necessarily pickup runtime API compatibility issues)
Comment 9 Rafael Grether 2022-03-09 22:45:41 UTC
@koobs, my decision is under second point (2).

All reverse dependents (12 in total):
fgallery, fotoxx, gitlab-workhorse, hugin, npretty, p5-MojoMojo, p5-Toader, py38-mat2, py38-pdf-redact-tools, rapid-photo-downloader, recoll, renrot

were builded in a Jail, to ensure an independent testing environment.

After build test, 8 reverse dependencies:
fgallery, hugin, npretty, py38-mat2, y38-pdf-redact-tools, rapid-photo-downloader, recoll, renrot

were tested in the RunTime execution, and the test passes.

So, the latest version is supported by all ports that depends on it.
Comment 10 Rafael Grether 2022-03-15 23:32:10 UTC
ports-secteam and portmgr, please commit these changes and change the maintainer.
Comment 11 Tobias C. Berner freebsd_committer 2022-03-25 05:20:55 UTC
Moin moin 

Any committer could have done this change. 
Neither portmgr@ nor ports-secteam@ is required here.



mfg Tobias
Comment 12 commit-hook freebsd_committer 2022-03-25 07:09:27 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=53cfad57e02981559cf37679830b9b49496218f3

commit 53cfad57e02981559cf37679830b9b49496218f3
Author:     Rafael Grether <devnull@apt322.org>
AuthorDate: 2022-01-29 17:33:17 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2022-03-25 07:06:40 +0000

    graphics/p5-Image-ExifTool: update to 12.30

    ExifTool is a platform-independent Perl library plus a command-line application
    for reading, writing and editing meta information in a wide variety of files.

    ExifTool is at version 12.30 in production release.
    Besides minor fixes and improvements, this release is about security fixes.

    CVE-2021-22204
    Anyone using ExifTool (Version 12.24) can be triggered with a valid image
    leading to arbitrary code execution, through
    improper neutralization of user data in the DjVu file format

    Other security fixes without CVE related.

    * Give maintainership to Rafael Grether

    Approved by:    evin@sevenlayer.studio (maintainer, timeout)
    PR:             260590
    Security:       CVE-2021-22204

 graphics/p5-Image-ExifTool/Makefile  |  6 +++---
 graphics/p5-Image-ExifTool/distinfo  |  6 +++---
 graphics/p5-Image-ExifTool/pkg-descr | 27 +++++++++++++++------------
 graphics/p5-Image-ExifTool/pkg-plist | 14 ++++++++++++--
 4 files changed, 33 insertions(+), 20 deletions(-)
Comment 13 commit-hook freebsd_committer 2022-03-25 07:09:29 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a7d64bf0bc13975780175e420d7b242d61daa814

commit a7d64bf0bc13975780175e420d7b242d61daa814
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2022-03-25 07:05:40 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2022-03-25 07:06:39 +0000

    security/vuxml: Document graphics/p5-Image-ExifTool vulnerability

    Security:       CVE-2021-22204
    PR:             260590

 security/vuxml/vuln-2022.xml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
Comment 14 commit-hook freebsd_committer 2022-03-25 07:09:30 UTC
A commit in branch 2022Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=96447b146b5cb4f0eff34a16057f3b04f79538ea

commit 96447b146b5cb4f0eff34a16057f3b04f79538ea
Author:     Rafael Grether <devnull@apt322.org>
AuthorDate: 2022-01-29 17:33:17 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2022-03-25 07:08:58 +0000

    graphics/p5-Image-ExifTool: update to 12.30

    ExifTool is a platform-independent Perl library plus a command-line application
    for reading, writing and editing meta information in a wide variety of files.

    ExifTool is at version 12.30 in production release.
    Besides minor fixes and improvements, this release is about security fixes.

    CVE-2021-22204
    Anyone using ExifTool (Version 12.24) can be triggered with a valid image
    leading to arbitrary code execution, through
    improper neutralization of user data in the DjVu file format

    Other security fixes without CVE related.

    * Give maintainership to Rafael Grether

    Approved by:    evin@sevenlayer.studio (maintainer, timeout)
    PR:             260590
    Security:       CVE-2021-22204

    (cherry picked from commit 53cfad57e02981559cf37679830b9b49496218f3)

 graphics/p5-Image-ExifTool/Makefile  |  6 +++---
 graphics/p5-Image-ExifTool/distinfo  |  6 +++---
 graphics/p5-Image-ExifTool/pkg-descr | 27 +++++++++++++++------------
 graphics/p5-Image-ExifTool/pkg-plist | 14 ++++++++++++--
 4 files changed, 33 insertions(+), 20 deletions(-)
Comment 15 Tobias C. Berner freebsd_committer 2022-03-25 07:10:28 UTC
Committed.

Note: there is already a .40 release by now; So, as the new maintainer, get on it :D 

mfg Tobias