Fedora has issued an advisory today (February 4): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BKMOJHTMTSAYV7B2A27CBMM7IBAZIRWE/ The issue is fixed upstream in 12.38. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 12.38
Assigning to tv since you have dealt with this often in the past.
Assignee: bugsquad => thierry.vignaud
there is no 12.38 official for now. Maybe better to use the commit as patch
CC: (none) => mageia
That would be fine.
Suggested advisory: ======================== The updated package fixes a security vulnerability: lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection. (CVE-2022-23935) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23935 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BKMOJHTMTSAYV7B2A27CBMM7IBAZIRWE/ ======================== Updated package in core/updates_testing: ======================== perl-Image-ExifTool-12.0.0-1.2.mga8 from SRPM: perl-Image-ExifTool-12.0.0-1.2.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: thierry.vignaud => qa-bugsVersion: Cauldron => 8Status comment: Fixed upstream in 12.38 => (none)Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroCVE: (none) => CVE-2022-23935Source RPM: perl-Image-ExifTool-12.300.0-2.mga9.src.rpm => perl-Image-ExifTool-12.0.0-1.1.mga8.src.rpm
CVE-2022-23935 https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429 Before: $ touch 'touch pwn |' $ exiftool 'touch pwn |' ExifTool Version Number : 12.00 File Name : touch pwn | Directory : . Error : File is empty $ ls pwn pwn Afterwards: $ rm -f pwn $ 'touch pwn |' $ ls pwn ls: cannot access 'pwn': No such file or directory $ exiftool 'touch pwn |' ExifTool Version Number : 12.00 File Name : touch pwn | Directory : . File Size : 0 bytes File Modification Date/Time : 2022:10:22 20:18:37+01:00 File Access Date/Time : 2022:10:22 20:18:37+01:00 File Inode Change Date/Time : 2022:10:22 20:18:37+01:00 File Permissions : rw-r--r-- Error : File is empty $ ls pwn ls: cannot access 'pwn': No such file or directory This shows that any command injection via the pipe is prevented. exiftool works with most image formats. $ exiftool surfacefly_spirit.swf ExifTool Version Number : 12.00 File Name : surfacefly_spirit.swf Directory : . File Size : 19 MB [...] MIME Type : application/x-shockwave-flash Flash Version : 6 Compressed : True .... $ exiftool screenshot.tif ExifTool Version Number : 12.00 [...] Planar Configuration : Chunky Page Number : 0 1 Software : GraphicsMagick 1.3.30 2018-06-23 Q8 http://www.GraphicsMagick.org/ [...] Megapixels : 8.3 Tried different files by extension; JPM, PGM, BMP, MIFF, TIFF, PPM, RAF (screeds of data), EPS/PS, JPG, JP2, SVG, XML(XMP), PNG, GIF, but GD/GD2, targa and PGX were marked as unknown file type and WMF as unsupported. file reports GD/GD2 files as data so they are probably sets of drawing instructions. It even returned a polite answer for a hexdump. The extension is effectively ignored, as expected. This all looks OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0381.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED