Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 785667 (CVE-2021-22204) - <media-libs/exiftool-12.16-r1: Code execution when parsing DjVu files (CVE-2021-22204)
Summary: <media-libs/exiftool-12.16-r1: Code execution when parsing DjVu files (CVE-20...
Status: IN_PROGRESS
Alias: CVE-2021-22204
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/exiftool/exiftool/...
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 791397
Blocks:
  Show dependency tree
 
Reported: 2021-04-25 17:28 UTC by Sam James
Modified: 2021-05-30 21:04 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/exiftool-12.16-r1
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-04-25 17:28:25 UTC
Description:
"Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image"

Fixed in 12.24. Please bump.
Comment 1 Sam James archtester gentoo-dev Security 2021-04-26 22:19:15 UTC
@perl if you can try look at this soon?
Comment 2 Attila Tóth 2021-05-02 18:27:28 UTC
exiftool-12.25 is available upstreams and compiles as expected.
Comment 3 Larry the Git Cow gentoo-dev 2021-05-03 13:57:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d7a897605b349d4f2c8e87907876b42e99f8ffa

commit 6d7a897605b349d4f2c8e87907876b42e99f8ffa
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-05-03 13:57:33 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-05-03 13:57:33 +0000

    media-libs/exiftool: fix CVE-2021-22204
    
    Bug: https://bugs.gentoo.org/785667
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/exiftool/exiftool-12.16-r1.ebuild       | 27 +++++++++++++++++++
 .../files/exiftool-12.16-CVE-2021-22204.patch      | 30 ++++++++++++++++++++++
 2 files changed, 57 insertions(+)
Comment 4 Sam James archtester gentoo-dev Security 2021-05-03 16:57:34 UTC
ppc done
Comment 5 Sam James archtester gentoo-dev Security 2021-05-04 19:11:08 UTC
amd64 done
Comment 6 Sam James archtester gentoo-dev Security 2021-05-04 21:27:12 UTC
x86 done
Comment 7 Sergei Trofimovich gentoo-dev 2021-05-06 09:19:27 UTC
ppc64 stable
Comment 8 Sam James archtester gentoo-dev Security 2021-05-06 10:01:13 UTC
arm64 done

all arches done
Comment 9 John Helmert III gentoo-dev Security 2021-05-13 13:46:25 UTC
Please cleanup
Comment 10 Larry the Git Cow gentoo-dev 2021-05-13 13:48:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe715cdbd52629a1deb0f8cf83206c54a5fc92b4

commit fe715cdbd52629a1deb0f8cf83206c54a5fc92b4
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-05-13 13:48:20 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-05-13 13:48:20 +0000

    media-libs/exiftool: Remove old
    
    Bug: https://bugs.gentoo.org/785667
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 media-libs/exiftool/Manifest              |  1 -
 media-libs/exiftool/exiftool-12.08.ebuild | 25 -------------------------
 media-libs/exiftool/exiftool-12.16.ebuild | 25 -------------------------
 3 files changed, 51 deletions(-)
Comment 11 Andreas K. Hüttel gentoo-dev 2021-05-30 21:03:01 UTC
Gone from the tree.
Comment 12 NATTkA bot gentoo-dev 2021-05-30 21:04:46 UTC
Unable to check for sanity:

> no match for package: media-libs/exiftool-12.16-r1