A security issue fixed upstream in ExifTool has been announced on May 9: https://www.openwall.com/lists/oss-security/2021/05/09/1 The issue is fixed upstream in 12.24. A PoC is given in the reply to the message above. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 12.24
*** Bug 28880 has been marked as a duplicate of this bug. ***
CC: (none) => nicolas.salguero
Fedora has issued an advisory for this on May 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/
Debian has issued an advisory for this on May 2: https://www.debian.org/security/2021/dsa-4910
openSUSE has issued an advisory for this on May 10: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SLQ4XG6SNL6OL7SHPBZLVWYCAEZGZW5X/
Fixed in mga 7/8 src: - perl-Image-ExifTool-11.300.0-1.1.mga7 - perl-Image-ExifTool-12.0.0-1.1.mga8
CC: (none) => mageiaStatus comment: Fixed upstream in 12.24 => (none)Version: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: thierry.vignaud => qa-bugs
MGA7-64-Plasma in VirtualBox. Before the update, the POC shows this: $ printf 'P1 1 1 0' > moo.pbm $ cjb2 moo.pbm moo.djvu $ printf 'ANTa\0\0\0\40"(xmp(\\\n".qx(cowsay pwned>&2);#"' >> moo.djvu $ exiftool moo.djvu > /dev/null _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || No installation issues with the update. After the update, the POC commands result in no output. It looks like that is what is expected, so giving this an OK for MGA7.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => andrewsfarm
Same test as before, only with MGA8, same results. OK for MGA8. Validating. I gotta say, I've milked more than a few cows in my time, and some were prettier than others, but those have to be the ugliest cows I have ever dealt with. Terrible conformation, and they look underfed...
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory: ======================== Updates perl-Image-ExifTool package fixes a security vulnerability: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image (CVE-2021-22204). References: - https://bugs.mageia.org/show_bug.cgi?id=28927 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204 - https://www.openwall.com/lists/oss-security/2021/05/09/1 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/ - https://www.debian.org/security/2021/dsa-4910 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SLQ4XG6SNL6OL7SHPBZLVWYCAEZGZW5X/ ======================== Updated packages in 7/core/updates_testing: ======================== perl-Image-ExifTool-11.300.0-1.1.mga7 from SRPM: perl-Image-ExifTool-11.300.0-1.1.mga7.src.rpm ======================== Updated packages in 8/core/updates_testing: ======================== perl-Image-ExifTool-12.0.0-1.1.mga8 from SRPM: perl-Image-ExifTool-12.0.0-1.1.mga8.src.rpm ========================
CVE: (none) => CVE-2021-22204Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0259.html
Status: NEW => RESOLVEDResolution: (none) => FIXED