Debian Bug report logs -
#987505
CVE-2021-22204: Improper neutralization of directives in dynamically evaluated code ('eval injection')
Reported by: gregor herrmann <gregoa@debian.org>
Date: Sat, 24 Apr 2021 20:27:02 UTC
Severity: serious
Tags: fixed-upstream, patch, security, upstream
Found in versions libimage-exiftool-perl/11.16-1, libimage-exiftool-perl/7.89-1, libimage-exiftool-perl/12.16+dfsg-1
Fixed in version libimage-exiftool-perl/12.16+dfsg-2
Done: gregor herrmann <gregoa@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#987505; Package libimage-exiftool-perl.
(Sat, 24 Apr 2021 20:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to gregor herrmann <gregoa@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Sat, 24 Apr 2021 20:27:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libimage-exiftool-perl
Version: 7.89-1
Severity: serious
Tags: security upstream patch fixed-upstream
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204
"Improper neutralization of user data in the DjVu file format in
ExifTool versions 7.44 and up allows arbitrary code execution when
parsing the malicious image"
Fixed upstream in 12.24:
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
Also https://bugs.launchpad.net/bugs/1925985
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmCEfodfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgao/w/9HH5DAYC64RkvniKlsDE3N5dOFDl6lNZ2uVZUadZjkMEHCFqhmjsYc0Tf
y04N09lM1cZcTi4k1czgdcwXE9IwOHmiSK/fBRsreFfBDGRQ26K9OEZ6yQ5mLXJT
d5H3oWCKBQQnGOVb21iqIsB93H+9V1+htbBxPPLNT9ZR8QU0mJlttr2pdLDB/k0Z
oajD5ZBd4b5MAHKND0XJQhD0mN93D8PDekvsFOD7waXFuUGvYeyQTD6XmFVM7liw
pP4ZxabO9Dnd7r0O2vbGjQ52H5BEVehc0nChLrStE3nLzdpFjdG/Ksop3/b/4Mc+
iHEk0EcPWgS41qjyWm1InNek7RHaYEO74hUJ6KCUnHhO/goGj4yq6h4htE0GVree
nrnVtX+cxkp8utZXC7vYoGe31iRz3GDI/MZ/+yd3NZF4xJqIAud/tJREqvJirmbJ
QbtkwprmP4EX0OTbCnJAtTeRl9Crg2TlzQ7h89dEVR1yuG+9EZFxMT9m6hHmxdph
G3YZ1UilJqyX45J+xPCXCriuK+O3y1uszfECOliZhGs1jbyBOXXN5Q5timrbJZnr
1KCtGHsjknOujO/gYqPwb/u/XkWBkdZ24dromBXqHV7lsycHARR0v0DkpcwhiNqE
b3x5mTAvmN1L4QxvfNzRsLUXOVNjjbA3ekG0zsTcApLTvxOrHM8=
=VnEt
-----END PGP SIGNATURE-----
Message sent on
to gregor herrmann <gregoa@debian.org>:
Bug#987505.
(Sat, 24 Apr 2021 20:45:06 GMT) (full text, mbox, link).
Message #8 received at 987505-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #987505 in libimage-exiftool-perl reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/perl-team/modules/packages/libimage-exiftool-perl/-/commit/0347501fda93cb8366d6451aedcf258b34fb4a2b
------------------------------------------------------------------------
Add patch CVE-2021-22204.patch, taken from upstream release 12.24.
The patch fixes CVE-2021-22204: Improper neutralization of user data in the
DjVu file format in ExifTool versions 7.44 and up allows arbitrary code
execution when parsing the malicious image.
Thanks: William Bowling for the bug report on Launchpad.
Closes: #987505
LP: #1925985
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/987505
Added tag(s) pending.
Request was from gregor herrmann <noreply@salsa.debian.org>
to 987505-submitter@bugs.debian.org.
(Sat, 24 Apr 2021 20:45:06 GMT) (full text, mbox, link).
Message sent on
to gregor herrmann <gregoa@debian.org>:
Bug#987505.
(Sat, 24 Apr 2021 21:00:35 GMT) (full text, mbox, link).
Message #13 received at 987505-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #987505 in libimage-exiftool-perl reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/perl-team/modules/packages/libimage-exiftool-perl/-/commit/0347501fda93cb8366d6451aedcf258b34fb4a2b
------------------------------------------------------------------------
Add patch CVE-2021-22204.patch, taken from upstream release 12.24.
The patch fixes CVE-2021-22204: Improper neutralization of user data in the
DjVu file format in ExifTool versions 7.44 and up allows arbitrary code
execution when parsing the malicious image.
Thanks: William Bowling for the bug report on Launchpad.
Closes: #987505
LP: #1925985
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/987505
Reply sent
to gregor herrmann <gregoa@debian.org>:
You have taken responsibility.
(Sat, 24 Apr 2021 21:06:03 GMT) (full text, mbox, link).
Notification sent
to gregor herrmann <gregoa@debian.org>:
Bug acknowledged by developer.
(Sat, 24 Apr 2021 21:06:03 GMT) (full text, mbox, link).
Message #18 received at 987505-close@bugs.debian.org (full text, mbox, reply):
Source: libimage-exiftool-perl
Source-Version: 12.16+dfsg-2
Done: gregor herrmann <gregoa@debian.org>
We believe that the bug you reported is fixed in the latest version of
libimage-exiftool-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 987505@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libimage-exiftool-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 24 Apr 2021 22:40:21 +0200
Source: libimage-exiftool-perl
Architecture: source
Version: 12.16+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Closes: 987505
Changes:
libimage-exiftool-perl (12.16+dfsg-2) unstable; urgency=medium
.
* Add patch CVE-2021-22204.patch, taken from upstream release 12.24.
The patch fixes CVE-2021-22204: Improper neutralization of user data in
the DjVu file format in ExifTool versions 7.44 and up allows arbitrary
code execution when parsing the malicious image.
Thanks to William Bowling for the bug report on Launchpad.
(Closes: #987505) (LP: #1925985)
Checksums-Sha1:
4f23c6c05773f00ff901d11dfc1bba4fe937e0f2 2544 libimage-exiftool-perl_12.16+dfsg-2.dsc
6579ec3d099a71a0fa9cf802c282eb4038dae37c 10820 libimage-exiftool-perl_12.16+dfsg-2.debian.tar.xz
Checksums-Sha256:
82d15d02941df73061a5a586e2ffd6df993fddccfc17b2fe03ea5a3c70ff18b4 2544 libimage-exiftool-perl_12.16+dfsg-2.dsc
77e40f7694d631b9c53dfd57f4495f1948d71b4cffbe78cac2a52795032c32ed 10820 libimage-exiftool-perl_12.16+dfsg-2.debian.tar.xz
Files:
a9569666222f953a225b674d2f6d4f2e 2544 perl optional libimage-exiftool-perl_12.16+dfsg-2.dsc
187fe61269d36b2ed864ed186fd70caa 10820 perl optional libimage-exiftool-perl_12.16+dfsg-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmCEgp1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgbkGxAAseHXRqMHnesVU7PRT91b+BiuW2JIvjVO8DZiPSLpd0vpfZ6pCMOPuBP9
IvtehDuhitizW29T22lky7+yVMOIs+1CIm4L2TjzSVOoHKC2/PoGlU+rdD5DcQ3V
f2vjzy22lj9D9CsfGM07cPyLcrcINUwZx/8ni2w9kSgoc8FyvxPtKtFv/ZIRE6bz
Xy5a7jSn1ZHA+vjf8GEkoL+PJ2olgjusbLj9Xcoa/KEo6rK+Y+tLEERyVGEdI1gx
5kr86ZUEPHjRYdVIcVrjVtpjs1kEj06FtjXIeYAw5iQbxhqMOBsZJMeFkByXfKoo
gfHSFwNpqsIC9GfbJp15WuN69t3VzpVPdzim7eLR/zyFHZLnjI+NHTGmf0QqbL4L
xQ0wxpQTx1olBoW5aglz5Ks2JDrwo7G96vEDLrPcgfVWUvVlE/iQSxROUetqSS7x
JfzkkfWHdA4xDawxw1Eg7LITQPlv4Q2sBg+Q/ZFR0m3nlm340gfFkhGMzge9eDBG
IT479Bx26WRLUpKOhCp+aUr7RC3kmzFf+xtKIQY5mJ6Hne2dmRrHGYU/AD5lqI+2
IYOJY0RGPDYFsc8fMhz6eE2E1BJfdHSMOjyEHszJobqP/Ik2yyNRxbv9dKUquaMH
WX4RD3z2+eBfFzNC0qh47aW4f/7qjccTsKuTT3JWaE/krx7+9oU=
=oKPh
-----END PGP SIGNATURE-----
Marked as found in versions libimage-exiftool-perl/12.16+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 25 Apr 2021 06:03:02 GMT) (full text, mbox, link).
Marked as found in versions libimage-exiftool-perl/11.16-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 25 Apr 2021 06:03:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Apr 25 08:07:27 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon