pkg-perl-maintainers team mailing list archive

[Seth Arnold <1471476@xxxxxxxxxxxxxxxxxx>]

I reviewed libimage-exiftool-perl version 10.00-1 as checked into Ubuntu
wily. This shouldn't be considered a full security audit and indeed I
reviewed less code than I'd like due to time constraints.

This codebase is incredibly complicated; it embeds knowledge about
hundreds, if not thousands, of image formats and metadata formats. It's
been well-designed to use little miniature methods defined as strings in
hashes which makes for a nice object-oriented design. However, this also
makes it nearly impossible to discover potential locations where untrusted
inputs may be executed as perl code because the eval feature is used
hundreds of times, both for error handling and these micromethods.

I believe I found a security issue while investigating and have mailed the
author for feedback; it's complicated enough that I'm not certain of my
finding.

The coding looks disciplined, the copious comments are helpful, and
there's a good selection of tests run during the build. The sketchiest
code appeared to be used for code generation and documentation generation;
code that handles file inputs checked arguments extensively.

Security team ACK for promoting libimage-exiftool-perl to main.

Thanks


** Changed in: libimage-exiftool-perl (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libimage-exiftool-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1471476

Title:
  [MIR] libimage-exiftool-perl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libimage-exiftool-perl/+bug/1471476/+subscriptions