[gentoo-commits] repo/gentoo:master commit in: media-libs/exiftool/files/, media-libs/exiftool/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] repo/gentoo:master commit in: media-libs/exiftool/files/, media-libs/exiftool/
@ 2021-05-03 13:57 Thomas Deutschmann
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Deutschmann @ 2021-05-03 13:57 UTC (permalink / raw
  To: gentoo-commits

commit:     6d7a897605b349d4f2c8e87907876b42e99f8ffa
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Mon May  3 13:57:33 2021 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Mon May  3 13:57:33 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d7a8976

media-libs/exiftool: fix CVE-2021-22204

Bug: https://bugs.gentoo.org/785667
Package-Manager: Portage-3.0.18, Repoman-3.0.3
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 media-libs/exiftool/exiftool-12.16-r1.ebuild       | 27 +++++++++++++++++++
 .../files/exiftool-12.16-CVE-2021-22204.patch      | 30 ++++++++++++++++++++++
 2 files changed, 57 insertions(+)

diff --git a/media-libs/exiftool/exiftool-12.16-r1.ebuild b/media-libs/exiftool/exiftool-12.16-r1.ebuild
new file mode 100644
index 00000000000..faaa13a5828
--- /dev/null
+++ b/media-libs/exiftool/exiftool-12.16-r1.ebuild
@@ -0,0 +1,27 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+DIST_NAME=Image-ExifTool
+inherit perl-module
+
+DESCRIPTION="Read and write meta information in image, audio and video files"
+HOMEPAGE="https://exiftool.org/"
+SRC_URI="https://exiftool.org/${DIST_P}.tar.gz"
+
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~ppc ~ppc64 ~x86 ~x64-macos"
+IUSE="doc"
+
+PATCHES=( "${FILESDIR}"/exiftool-12.16-CVE-2021-22204.patch )
+
+SRC_TEST="do"
+
+src_install() {
+	perl-module_src_install
+	use doc && dodoc -r html/
+
+	insinto /usr/share/${PN}
+	doins -r fmt_files config_files arg_files
+}

diff --git a/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch b/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch
new file mode 100644
index 00000000000..1c9e7921c6b
--- /dev/null
+++ b/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch
@@ -0,0 +1,30 @@
+Description: Fix 'eval injection".
+ CVE-2021-22204: Improper neutralization of user data in the DjVu file
+ format in ExifTool versions 7.44 and up allows arbitrary code execution
+ when parsing the malicious image
+Origin: upstream release 12.24
+Bug-Debian: https://bugs.debian.org/987505
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1925985
+Author: Phil Harvey <philharvey66@gmail.com>
+Reviewed-by: gregor herrmann <gregoa@debian.org>
+Last-Update: 2021-04-24
+Applied-Upstream: https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
+
+--- a/lib/Image/ExifTool/DjVu.pm
++++ b/lib/Image/ExifTool/DjVu.pm
+@@ -227,10 +227,11 @@
+                 last unless $tok =~ /(\\+)$/ and length($1) & 0x01;
+                 $tok .= '"';    # quote is part of the string
+             }
+-            # must protect unescaped "$" and "@" symbols, and "\" at end of string
+-            $tok =~ s{\\(.)|([\$\@]|\\$)}{'\\'.($2 || $1)}sge;
+-            # convert C escape sequences (allowed in quoted text)
+-            $tok = eval qq{"$tok"};
++            # convert C escape sequences, allowed in quoted text
++            # (note: this only converts a few of them!)
++            my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n",
++                        r => "\r", t => "\t", '"' => '"', '\\' => '\\' );
++            $tok =~ s/\\(.)/$esc{$1}||'\\'.$1/egs;
+         } else {                # key name
+             pos($$dataPt) = pos($$dataPt) - 1;
+             # allow anything in key but whitespace, braces and double quotes


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: media-libs/exiftool/files/, media-libs/exiftool/
@ 2021-05-30 21:01 Andreas K. Hüttel
  0 siblings, 0 replies; 2+ messages in thread
From: Andreas K. Hüttel @ 2021-05-30 21:01 UTC (permalink / raw
  To: gentoo-commits

commit:     5b20f7125508f3a30f11bbb08f89ee86ad68d28e
Author:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
AuthorDate: Sun May 30 20:34:41 2021 +0000
Commit:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
CommitDate: Sun May 30 21:00:51 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b20f712

media-libs/exiftool: Remove old

Bug: https://bugs.gentoo.org/791397
Package-Manager: Portage-3.0.18, Repoman-3.0.2
Signed-off-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>

 media-libs/exiftool/Manifest                       |  1 -
 media-libs/exiftool/exiftool-12.16-r1.ebuild       | 27 -------------------
 .../files/exiftool-12.16-CVE-2021-22204.patch      | 30 ----------------------
 3 files changed, 58 deletions(-)

diff --git a/media-libs/exiftool/Manifest b/media-libs/exiftool/Manifest
index c696d302572..c4c4e2179f3 100644
--- a/media-libs/exiftool/Manifest
+++ b/media-libs/exiftool/Manifest
@@ -1,2 +1 @@
-DIST Image-ExifTool-12.16.tar.gz 4888506 BLAKE2B d262f087b4334c01ed927945aa0b072c90eaf7322af017030ef193b8b20fc7ce7008b69c483bc83d1dbe0ceab5bcb7e894e5085cae853a1d9d74f72b9c8a360e SHA512 adfd21834ccf06277903712b3c5e328b29c56f3b30ee68f6802dca0820823b627622e55f53238690525d1d19df2a59cb57f9d80a1bb2e99da37fb7d963ee16ee
 DIST Image-ExifTool-12.26.tar.gz 4933296 BLAKE2B e45683243b82f8276aee498d52a88d5b34eaf8b28aebdd631f70e30bb91ceb52224dc994ed189b914f024be4eb471b07bf9f1d860d96af2ab211e482b9ea194e SHA512 15bbff738e151d3ed5c77a17c99ded6cc3da2050fe7df94c42aea544aa31d7f539d70d07fd5336ae018af05b7f168712f1367046d8004861fce58442c03f82bd

diff --git a/media-libs/exiftool/exiftool-12.16-r1.ebuild b/media-libs/exiftool/exiftool-12.16-r1.ebuild
deleted file mode 100644
index b834f5c9407..00000000000
--- a/media-libs/exiftool/exiftool-12.16-r1.ebuild
+++ /dev/null
@@ -1,27 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-DIST_NAME=Image-ExifTool
-inherit perl-module
-
-DESCRIPTION="Read and write meta information in image, audio and video files"
-HOMEPAGE="https://exiftool.org/"
-SRC_URI="https://exiftool.org/${DIST_P}.tar.gz"
-
-SLOT="0"
-KEYWORDS="amd64 arm64 ppc ppc64 x86 ~x64-macos"
-IUSE="doc"
-
-PATCHES=( "${FILESDIR}"/exiftool-12.16-CVE-2021-22204.patch )
-
-SRC_TEST="do"
-
-src_install() {
-	perl-module_src_install
-	use doc && dodoc -r html/
-
-	insinto /usr/share/${PN}
-	doins -r fmt_files config_files arg_files
-}

diff --git a/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch b/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch
deleted file mode 100644
index 1c9e7921c6b..00000000000
--- a/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Description: Fix 'eval injection".
- CVE-2021-22204: Improper neutralization of user data in the DjVu file
- format in ExifTool versions 7.44 and up allows arbitrary code execution
- when parsing the malicious image
-Origin: upstream release 12.24
-Bug-Debian: https://bugs.debian.org/987505
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1925985
-Author: Phil Harvey <philharvey66@gmail.com>
-Reviewed-by: gregor herrmann <gregoa@debian.org>
-Last-Update: 2021-04-24
-Applied-Upstream: https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
-
---- a/lib/Image/ExifTool/DjVu.pm
-+++ b/lib/Image/ExifTool/DjVu.pm
-@@ -227,10 +227,11 @@
-                 last unless $tok =~ /(\\+)$/ and length($1) & 0x01;
-                 $tok .= '"';    # quote is part of the string
-             }
--            # must protect unescaped "$" and "@" symbols, and "\" at end of string
--            $tok =~ s{\\(.)|([\$\@]|\\$)}{'\\'.($2 || $1)}sge;
--            # convert C escape sequences (allowed in quoted text)
--            $tok = eval qq{"$tok"};
-+            # convert C escape sequences, allowed in quoted text
-+            # (note: this only converts a few of them!)
-+            my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n",
-+                        r => "\r", t => "\t", '"' => '"', '\\' => '\\' );
-+            $tok =~ s/\\(.)/$esc{$1}||'\\'.$1/egs;
-         } else {                # key name
-             pos($$dataPt) = pos($$dataPt) - 1;
-             # allow anything in key but whitespace, braces and double quotes


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-05-30 21:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-05-03 13:57 [gentoo-commits] repo/gentoo:master commit in: media-libs/exiftool/files/, media-libs/exiftool/ Thomas Deutschmann
  -- strict thread matches above, loose matches on Subject: below --
2021-05-30 21:01 Andreas K. Hüttel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox