From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C38401382C5 for ; Mon, 3 May 2021 13:57:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 197C2E081A; Mon, 3 May 2021 13:57:50 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 01216E081A for ; Mon, 3 May 2021 13:57:49 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C6A383408A2 for ; Mon, 3 May 2021 13:57:48 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 33D3A63D for ; Mon, 3 May 2021 13:57:47 +0000 (UTC) From: "Thomas Deutschmann" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Thomas Deutschmann" Message-ID: <1620050253.6d7a897605b349d4f2c8e87907876b42e99f8ffa.whissi@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: media-libs/exiftool/files/, media-libs/exiftool/ X-VCS-Repository: repo/gentoo X-VCS-Files: media-libs/exiftool/exiftool-12.16-r1.ebuild media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch X-VCS-Directories: media-libs/exiftool/files/ media-libs/exiftool/ X-VCS-Committer: whissi X-VCS-Committer-Name: Thomas Deutschmann X-VCS-Revision: 6d7a897605b349d4f2c8e87907876b42e99f8ffa X-VCS-Branch: master Date: Mon, 3 May 2021 13:57:47 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: f7c59654-ee5d-4299-ad26-202772da5c25 X-Archives-Hash: 931a884aeb4e3382c886380644279a5c commit: 6d7a897605b349d4f2c8e87907876b42e99f8ffa Author: Thomas Deutschmann gentoo org> AuthorDate: Mon May 3 13:57:33 2021 +0000 Commit: Thomas Deutschmann gentoo org> CommitDate: Mon May 3 13:57:33 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d7a8976 media-libs/exiftool: fix CVE-2021-22204 Bug: https://bugs.gentoo.org/785667 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann gentoo.org> media-libs/exiftool/exiftool-12.16-r1.ebuild | 27 +++++++++++++++++++ .../files/exiftool-12.16-CVE-2021-22204.patch | 30 ++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/media-libs/exiftool/exiftool-12.16-r1.ebuild b/media-libs/exiftool/exiftool-12.16-r1.ebuild new file mode 100644 index 00000000000..faaa13a5828 --- /dev/null +++ b/media-libs/exiftool/exiftool-12.16-r1.ebuild @@ -0,0 +1,27 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +DIST_NAME=Image-ExifTool +inherit perl-module + +DESCRIPTION="Read and write meta information in image, audio and video files" +HOMEPAGE="https://exiftool.org/" +SRC_URI="https://exiftool.org/${DIST_P}.tar.gz" + +SLOT="0" +KEYWORDS="~amd64 ~arm64 ~ppc ~ppc64 ~x86 ~x64-macos" +IUSE="doc" + +PATCHES=( "${FILESDIR}"/exiftool-12.16-CVE-2021-22204.patch ) + +SRC_TEST="do" + +src_install() { + perl-module_src_install + use doc && dodoc -r html/ + + insinto /usr/share/${PN} + doins -r fmt_files config_files arg_files +} diff --git a/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch b/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch new file mode 100644 index 00000000000..1c9e7921c6b --- /dev/null +++ b/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch @@ -0,0 +1,30 @@ +Description: Fix 'eval injection". + CVE-2021-22204: Improper neutralization of user data in the DjVu file + format in ExifTool versions 7.44 and up allows arbitrary code execution + when parsing the malicious image +Origin: upstream release 12.24 +Bug-Debian: https://bugs.debian.org/987505 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1925985 +Author: Phil Harvey +Reviewed-by: gregor herrmann +Last-Update: 2021-04-24 +Applied-Upstream: https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800 + +--- a/lib/Image/ExifTool/DjVu.pm ++++ b/lib/Image/ExifTool/DjVu.pm +@@ -227,10 +227,11 @@ + last unless $tok =~ /(\\+)$/ and length($1) & 0x01; + $tok .= '"'; # quote is part of the string + } +- # must protect unescaped "$" and "@" symbols, and "\" at end of string +- $tok =~ s{\\(.)|([\$\@]|\\$)}{'\\'.($2 || $1)}sge; +- # convert C escape sequences (allowed in quoted text) +- $tok = eval qq{"$tok"}; ++ # convert C escape sequences, allowed in quoted text ++ # (note: this only converts a few of them!) ++ my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n", ++ r => "\r", t => "\t", '"' => '"', '\\' => '\\' ); ++ $tok =~ s/\\(.)/$esc{$1}||'\\'.$1/egs; + } else { # key name + pos($$dataPt) = pos($$dataPt) - 1; + # allow anything in key but whitespace, braces and double quotes