Bug#987505: marked as done (CVE-2021-22204: Improper neutralization of directives in dynamically evaluated code ('eval injection'))

[Debian Bug Tracking System]

Your message dated Mon, 03 May 2021 18:02:42 +0000
with message-id <e1ldcu2-0000jr...@fasolo.debian.org>
and subject line Bug#987505: fixed in libimage-exiftool-perl 11.16-1+deb10u1
has caused the Debian Bug report #987505,
regarding CVE-2021-22204: Improper neutralization of directives in dynamically 
evaluated code ('eval injection')
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
987505: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987505
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libimage-exiftool-perl
Version: 7.89-1
Severity: serious
Tags: security upstream patch fixed-upstream
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204

"Improper neutralization of user data in the DjVu file format in
ExifTool versions 7.44 and up allows arbitrary code execution when
parsing the malicious image"

Fixed upstream in 12.24:
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800

Also https://bugs.launchpad.net/bugs/1925985

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmCEfodfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgao/w/9HH5DAYC64RkvniKlsDE3N5dOFDl6lNZ2uVZUadZjkMEHCFqhmjsYc0Tf
y04N09lM1cZcTi4k1czgdcwXE9IwOHmiSK/fBRsreFfBDGRQ26K9OEZ6yQ5mLXJT
d5H3oWCKBQQnGOVb21iqIsB93H+9V1+htbBxPPLNT9ZR8QU0mJlttr2pdLDB/k0Z
oajD5ZBd4b5MAHKND0XJQhD0mN93D8PDekvsFOD7waXFuUGvYeyQTD6XmFVM7liw
pP4ZxabO9Dnd7r0O2vbGjQ52H5BEVehc0nChLrStE3nLzdpFjdG/Ksop3/b/4Mc+
iHEk0EcPWgS41qjyWm1InNek7RHaYEO74hUJ6KCUnHhO/goGj4yq6h1htE0GVree
nrnVtX+cxkp8utZXC7vYoGe31iRz3GDI/MZ/+yd3NZF4xJqIAud/tJREqvJirmbJ
QbtkwprmP4EX0OTbCnJAtTeRl9Crg2TlzQ7h89dEVR1yuG+9EZFxMT9m6hHmxdph
G3YZ1UilJqyX45J+xPCXCriuK+O3y1uszfECOliZhGs1jbyBOXXN5Q5timrbJZnr
1KCtGHsjknOujO/gYqPwb/u/XkWBkdZ24dromBXqHV7lsycHARR0v0DkpcwhiNqE
b3x5mTAvmN1L4QxvfNzRsLUXOVNjjbA3ekG0zsTcApLTvxOrHM8=
=VnEt
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: libimage-exiftool-perl
Source-Version: 11.16-1+deb10u1
Done: Salvatore Bonaccorso <car...@debian.org>

We believe that the bug you reported is fixed in the latest version of
libimage-exiftool-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 987...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated 
libimage-exiftool-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 26 Apr 2021 15:53:25 +0200
Source: libimage-exiftool-perl
Architecture: source
Version: 11.16-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 987505
Changes:
 libimage-exiftool-perl (11.16-1+deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
 .
   [ gregor herrmann ]
   * Add patch CVE-2021-22204.patch, taken from upstream release 12.24.
     The patch fixes CVE-2021-22204: Improper neutralization of user data in
     the DjVu file format in ExifTool versions 7.44 and up allows arbitrary
     code execution when parsing the malicious image.
     Thanks to William Bowling for the bug report on Launchpad.
     (Closes: #987505) (LP: #1925985)
Checksums-Sha1: 
 62ecb750ecde79326c756f5a663338ed54ee9f86 2423 
libimage-exiftool-perl_11.16-1+deb10u1.dsc
 b429c3e99b6682f0fbadc54357ab4221f6ed994a 4483254 
libimage-exiftool-perl_11.16.orig.tar.gz
 49962a726a4f79dc7d2f8ecd71c483ed8ca190c5 8840 
libimage-exiftool-perl_11.16-1+deb10u1.debian.tar.xz
Checksums-Sha256: 
 ba1e042212572bc3a784fc9c8fa0aed324b5371dbb1d0b7a3584a9d1d9c786b4 2423 
libimage-exiftool-perl_11.16-1+deb10u1.dsc
 0440342f76099a6773cf9d65d5762be5fd16775f652a562bb127d39a409526c9 4483254 
libimage-exiftool-perl_11.16.orig.tar.gz
 da80c43f923d4f6f88d084437d44a42681daa43d2d23b154a2313ed641c119d0 8840 
libimage-exiftool-perl_11.16-1+deb10u1.debian.tar.xz
Files: 
 e10142ade56f7b7db6d4829b618848cc 2423 perl optional 
libimage-exiftool-perl_11.16-1+deb10u1.dsc
 5632fb98b70965808a38ae68417bb160 4483254 perl optional 
libimage-exiftool-perl_11.16.orig.tar.gz
 7a6ff35d970f7968496b5ef496df2f9a 8840 perl optional 
libimage-exiftool-perl_11.16-1+deb10u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmCG2DBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ESxIP/iVvXsgBkNE6BH1g/76wQlLrnPT62zIw
Z1OkW5ikCc3dkf0VnvaYyyAk6SgMvUecuAlX8sqyK9urCmp6H6RierCY/xnxhsjR
/DT7Qc14PK0y++fVMzJWoOB4TzCRzgnsOzbqUoPc4UGHdCj2bg8eSMA9wfED0rra
8Xa3Q16zDtEUlU1rdWFWS45C/77nrAxaDAI93e3yWfA4fsP8N+TyZ5Hs2hx2RqtZ
S8JG3qWAlkALy4dhB29x+ZsrnETuQmGYIhWYPWPr//ZjYaiSTMUdud/y/6Rwy8Av
rijlccj7AltBDKdLaFhtLmMDKIMMNME1NQPB81mHSOH47d3aNehu9QRp9S+AlR84
aBIZApZME81fuIXDUTDMQq/ZY4h3fdayhy9gvgJrRp5+GqX04sgLZHv8fs2/8Wpj
RpaalwC4iNUGzLCDBcJHYDTb5V/xqTZKb7o4LQFOjdrRPdD1mOLizlItLQJIRtRF
YW6jOXggvPedbV+MUzPMVqeMy9xIoALFfZr/YIzHMClNnwzDTDatx75elamP1xWi
HlTDIJND1uSZxMunCb3Ew13rmJFsESjMj/1yUP8X5sziSv+jOhQ0bIVBO+XSJSVD
iW0zHbqU+UeQTe3sIGt+3T9xRGP3HKPpa8Uf1yj0xTd3FZDCZkwfyeKZnThLvXfe
EJYF4vD1gOcW
=MkAT
-----END PGP SIGNATURE-----

--- End Message ---