Thanks Alex, Paulo and Gregor. Great to have this released!
And thanks for the learning opportunity. As in, my help probably didn't
actually save you any time in the short run, because the only thing I
effectively did was change the changelog of the upstream patch, and you
had to redo that anyway
Following https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue , I can now
subscribe ubuntu-security-sponsors :
1. Your patch is in debdiff format
It is.
2. The patch follows the security team update procedures. Especially:
- targeted against the security pocket of a stable release
I think so,
Attached is a debdiff that fixes CVE-2021-22204 on libimage-exiftool-
perl 11.88-1; dch automatically changed the version to 11.88-1ubuntu1.
I simply checked out https://salsa.debian.org/perl-team/modules/packages
/libimage-exiftool-perl/-/tree/debian/11.88-1 , cherry-picked
https://salsa.debian.o
Thank you Alex for your explanation. Below my conclusions after digging
around to learn more about how exiftool ends up in Ubuntu.
It seems that Ubuntu is using the debian version of libimage-exiftool-
perl as-is. Therefore it was probably easy to get the fix released for
Ubuntu 21.10 because it u
The status of this bug says "Fix Released". How can one install this
released fix on Ubuntu 20.04.2 LTS (Focal Fossa)?
The publicly available proof of concept arbitrary code execution on
hackerone [1] works as-is on the latest exiftool (11.88-1) in the focal
repositories. This makes it a security
