pkg-perl-maintainers team mailing list archive

Thread
Date

[Bug 1925985] Re: CVE-2021-22204

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Hugo Buddelmeijer <1925985@xxxxxxxxxxxxxxxxxx>
Date: Wed, 09 Jun 2021 15:33:01 -0000
Reply-to: Bug 1925985 <1925985@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thank you Alex for your explanation. Below my conclusions after digging
around to learn more about how exiftool ends up in Ubuntu.

It seems that Ubuntu is using the debian version of libimage-exiftool-
perl as-is. Therefore it was probably easy to get the fix released for
Ubuntu 21.10 because it uses the same version of libimage-exiftool-perl
as debian testing and unstable (12.16); that is, the debian patch could
be used as-is.

However, backporting the patch specifically for Ubuntu 20.04 (LTS) seems
to be required, because Ubuntu 20.04 uses 11.88 and debian stable uses
11.16. Debian patched their 11.16, so maybe it is easy to apply that
patch to 11.88 as well.

I'm not really sure where that patch would need to go though. The debian
team would have no use for it in their repository, so might not want it
there. There is probably a mechanism to have Ubuntu specific patches on
top of the debian ones.

This patch procedure is probably described in the link you gave, so I'll
have to read that more carefully. Contributing to Ubuntu packages is new
to me, so I don't feel comfortable to commit to that yet, but I'm
inclined to give it a try (if time permits).

--
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libimage-exiftool-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1925985

Title:
CVE-2021-22204

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libimage-exiftool-perl/+bug/1925985/+subscriptions

References

[Bug 1925985] [NEW] CVE-2021-22204
From: William Bowling, 2021-04-24