← Back to team overview

pkg-perl-maintainers team mailing list archive

Thread
Date

[Bug 1925985] Re: CVE-2021-22204

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Hugo Buddelmeijer <1925985@xxxxxxxxxxxxxxxxxx>
Date: Thu, 10 Jun 2021 06:50:02 -0000
Reply-to: Bug 1925985 <1925985@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Following https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue , I can now
subscribe ubuntu-security-sponsors :

1. Your patch is in debdiff format

It is.

2. The patch follows the security team update procedures. Especially:

- targeted against the security pocket of a stable release

I think so, but I'm not exactly sure what a "security pocket" is. This
is a patch against 20.04 LTS to fix an arbitrary code execution, so it
seems appropriate.

I've updated the patch to have 'focal-security' as distribution, as
described in
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging.

- uses the correct version

The version 11.88-1ubuntu1 is created by dch, so I'm assuming it is
correct. (Maybe it should be 11.88-1ubuntu0.1 ?)

- mentions a CVE, and preferably a LP bug #.

The diff mentions CVE-2021-22204 and (LP: #1925985), which is this bug.

- Check your .changes file to make sure that you have the right revision
and distribution

I've put 'focal-security' as distribution, which seemed the most
appropriate.

3. All changes in the patch are intentional

They are.

4. Your patch applies cleanly

It does.

5. The Status and Assignment are correct

I cannot change the status, but it seems OK.

6. Please comment on the testing performed.

I've tested the patched package with echo_vakzz.jpg from
https://hackerone.com/reports/1154542 on a development workstation. (So
not on a clean Ubuntu installation.)

- If all of the above is in order, please subscribe ubuntu-security-sponsors

OK.

** Patch added: "update with focal-security as distribution"
https://bugs.launchpad.net/ubuntu/+source/libimage-exiftool-perl/+bug/1925985/+attachment/5503783/+files/libimage-exiftool-perl_11.88-1ubuntu1.debdiff

--
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libimage-exiftool-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1925985

Title:
CVE-2021-22204

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libimage-exiftool-perl/+bug/1925985/+subscriptions

References

[Bug 1925985] [NEW] CVE-2021-22204
From: William Bowling, 2021-04-24