Bug 785667 (CVE-2021-22204)

Summary:	<media-libs/exiftool-12.16-r1: Code execution when parsing DjVu files (CVE-2021-22204)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	normal	CC:	atoth
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
Whiteboard:	B2 [glsa cve]
Package list:	media-libs/exiftool-12.16-r1	Runtime testing required:	---
Bug Depends on:	791397
Bug Blocks:

Description Sam James archtester

2021-04-25 17:28:25 UTC

Description:
"Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image"

Fixed in 12.24. Please bump.

Comment 1 Sam James archtester

2021-04-26 22:19:15 UTC

@perl if you can try look at this soon?

Comment 2 Attila Tóth 2021-05-02 18:27:28 UTC

exiftool-12.25 is available upstreams and compiles as expected.

Comment 3 Larry the Git Cow gentoo-dev

2021-05-03 13:57:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d7a897605b349d4f2c8e87907876b42e99f8ffa

commit 6d7a897605b349d4f2c8e87907876b42e99f8ffa
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-05-03 13:57:33 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-05-03 13:57:33 +0000

    media-libs/exiftool: fix CVE-2021-22204
    
    Bug: https://bugs.gentoo.org/785667
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/exiftool/exiftool-12.16-r1.ebuild       | 27 +++++++++++++++++++
 .../files/exiftool-12.16-CVE-2021-22204.patch      | 30 ++++++++++++++++++++++
 2 files changed, 57 insertions(+)

Comment 4 Sam James archtester

2021-05-03 16:57:34 UTC

ppc done

Comment 5 Sam James archtester

2021-05-04 19:11:08 UTC

amd64 done

Comment 6 Sam James archtester

2021-05-04 21:27:12 UTC

x86 done

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2021-05-06 09:19:27 UTC

ppc64 stable

Comment 8 Sam James archtester

2021-05-06 10:01:13 UTC

arm64 done

all arches done

Comment 9 John Helmert III archtester

2021-05-13 13:46:25 UTC

Please cleanup

Comment 10 Larry the Git Cow gentoo-dev

2021-05-13 13:48:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe715cdbd52629a1deb0f8cf83206c54a5fc92b4

commit fe715cdbd52629a1deb0f8cf83206c54a5fc92b4
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-05-13 13:48:20 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-05-13 13:48:20 +0000

    media-libs/exiftool: Remove old
    
    Bug: https://bugs.gentoo.org/785667
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 media-libs/exiftool/Manifest              |  1 -
 media-libs/exiftool/exiftool-12.08.ebuild | 25 -------------------------
 media-libs/exiftool/exiftool-12.16.ebuild | 25 -------------------------
 3 files changed, 51 deletions(-)

Comment 11 Andreas K. Hüttel archtester

2021-05-30 21:03:01 UTC

Gone from the tree.

Comment 12 NATTkA bot gentoo-dev

2021-05-30 21:04:46 UTC

Unable to check for sanity:

> no match for package: media-libs/exiftool-12.16-r1

Comment 13 John Helmert III archtester

2021-07-22 03:44:52 UTC

GLSA request filed.