pkg-perl-maintainers team mailing list archive

Thread
Date

[Bug 1925985] Re: CVE-2021-22204

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1925985@xxxxxxxxxxxxxxxxxx>
Date: Thu, 10 Jun 2021 19:10:44 -0000
Reply-to: Bug 1925985 <1925985@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package libimage-exiftool-perl -
12.05-1ubuntu0.1

---------------
libimage-exiftool-perl (12.05-1ubuntu0.1) groovy-security; urgency=medium

  * SECURITY UPDATE: Arbitrary code execution
    - debian/patches/CVE-2021-22204.patch: Improper neutralization of user
      data in the DjVu file format in ExifTool versions 7.44 and up allows
      arbitrary code execution when parsing the malicious image. (LP: #1925985)
      Thanks to William Bowling for the bug report on Launchpad.
      Thanks to Gregor Herrmann for backporting the patch.
      From debian release 12.16+dfsg-2.
    - CVE-2021-22204

 -- hugo buddelmeijer <hugo@xxxxxxxxxxxxxxx>  Wed, 09 Jun 2021 20:39:41
+0200

** Changed in: libimage-exiftool-perl (Ubuntu Focal)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libimage-exiftool-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1925985

Title:
  CVE-2021-22204

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libimage-exiftool-perl/+bug/1925985/+subscriptions

References

[Bug 1925985] [NEW] CVE-2021-22204
From: William Bowling, 2021-04-24