Assigning to tv since you have dealt with this often in the past.

Assignee: bugsquad => thierry.vignaud

there is no 12.38 official for now.
Maybe better to use the commit as patch

CC: (none) => mageia

That would be fine.

Suggested advisory:
========================

The updated package fixes a security vulnerability:

lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection. (CVE-2022-23935)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23935
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BKMOJHTMTSAYV7B2A27CBMM7IBAZIRWE/
========================

Updated package in core/updates_testing:
========================
perl-Image-ExifTool-12.0.0-1.2.mga8

from SRPM:
perl-Image-ExifTool-12.0.0-1.2.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: thierry.vignaud => qa-bugs
Version: Cauldron => 8
Status comment: Fixed upstream in 12.38 => (none)
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-23935
Source RPM: perl-Image-ExifTool-12.300.0-2.mga9.src.rpm => perl-Image-ExifTool-12.0.0-1.1.mga8.src.rpm

CVE-2022-23935
https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429
Before:
$ touch 'touch pwn |'
$ exiftool 'touch pwn |'
ExifTool Version Number         : 12.00
File Name                       : touch pwn |
Directory                       : .
Error                           : File is empty
$ ls pwn
pwn

Afterwards:
$ rm -f pwn
$ 'touch pwn |'
$ ls pwn
ls: cannot access 'pwn': No such file or directory
$ exiftool 'touch pwn |'
ExifTool Version Number         : 12.00
File Name                       : touch pwn |
Directory                       : .
File Size                       : 0 bytes
File Modification Date/Time     : 2022:10:22 20:18:37+01:00
File Access Date/Time           : 2022:10:22 20:18:37+01:00
File Inode Change Date/Time     : 2022:10:22 20:18:37+01:00
File Permissions                : rw-r--r--
Error                           : File is empty
$ ls pwn
ls: cannot access 'pwn': No such file or directory

This shows that any command injection via the pipe is prevented.

exiftool works with most image formats.
$ exiftool surfacefly_spirit.swf
ExifTool Version Number         : 12.00
File Name                       : surfacefly_spirit.swf
Directory                       : .
File Size                       : 19 MB
[...]
MIME Type                       : application/x-shockwave-flash
Flash Version                   : 6
Compressed                      : True
....
$ exiftool screenshot.tif
ExifTool Version Number         : 12.00
[...]
Planar Configuration            : Chunky
Page Number                     : 0 1
Software                        : GraphicsMagick 1.3.30 2018-06-23 Q8 http://www.GraphicsMagick.org/
[...]
Megapixels                      : 8.3

Tried different files by extension; JPM, PGM, BMP, MIFF, TIFF, PPM, RAF (screeds of data), EPS/PS, JPG, JP2,
SVG, XML(XMP), PNG, GIF, but GD/GD2, targa and PGX were marked as unknown file type and WMF as unsupported.  file reports GD/GD2 files as data so they are probably sets of drawing instructions.    
It even returned a polite answer for a hexdump.
The extension is effectively ignored, as expected.

This all looks OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0381.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED