| Summary: | perl-Image-ExifTool new security issue CVE-2021-22204 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, nicolas.salguero, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK | ||
| Source RPM: | perl-Image-ExifTool-12.160.0-1.mga9.src.rpm | CVE: | CVE-2021-22204 |
| Status comment: | |||
|
Description
David Walser
2021-05-15 00:29:55 CEST
David Walser
2021-05-15 00:30:08 CEST
Whiteboard:
(none) =>
MGA8TOO, MGA7TOO Fedora has issued an advisory for this on May 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/ Debian has issued an advisory for this on May 2: https://www.debian.org/security/2021/dsa-4910 openSUSE has issued an advisory for this on May 10: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SLQ4XG6SNL6OL7SHPBZLVWYCAEZGZW5X/ Fixed in mga 7/8
src:
- perl-Image-ExifTool-11.300.0-1.1.mga7
- perl-Image-ExifTool-12.0.0-1.1.mga8CC:
(none) =>
mageia
Nicolas Lécureuil
2021-06-12 23:51:03 CEST
Assignee:
thierry.vignaud =>
qa-bugs MGA7-64-Plasma in VirtualBox. Before the update, the POC shows this:
$ printf 'P1 1 1 0' > moo.pbm
$ cjb2 moo.pbm moo.djvu
$ printf 'ANTa\0\0\0\40"(xmp(\\\n".qx(cowsay pwned>&2);#"' >> moo.djvu
$ exiftool moo.djvu > /dev/null
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
No installation issues with the update. After the update, the POC commands result in no output.
It looks like that is what is expected, so giving this an OK for MGA7.Whiteboard:
MGA7TOO =>
MGA7TOO MGA7-64-OK Same test as before, only with MGA8, same results. OK for MGA8. Validating. I gotta say, I've milked more than a few cows in my time, and some were prettier than others, but those have to be the ugliest cows I have ever dealt with. Terrible conformation, and they look underfed... Whiteboard:
MGA7TOO MGA7-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OK Advisory: ======================== Updates perl-Image-ExifTool package fixes a security vulnerability: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image (CVE-2021-22204). References: - https://bugs.mageia.org/show_bug.cgi?id=28927 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204 - https://www.openwall.com/lists/oss-security/2021/05/09/1 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/ - https://www.debian.org/security/2021/dsa-4910 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SLQ4XG6SNL6OL7SHPBZLVWYCAEZGZW5X/ ======================== Updated packages in 7/core/updates_testing: ======================== perl-Image-ExifTool-11.300.0-1.1.mga7 from SRPM: perl-Image-ExifTool-11.300.0-1.1.mga7.src.rpm ======================== Updated packages in 8/core/updates_testing: ======================== perl-Image-ExifTool-12.0.0-1.1.mga8 from SRPM: perl-Image-ExifTool-12.0.0-1.1.mga8.src.rpm ======================== CVE:
(none) =>
CVE-2021-22204 An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0259.html Status:
NEW =>
RESOLVED |