[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: gnu: ExifTool: Fix CVE-2021-22204
|
From: |
guix-commits |
|
Subject: |
branch master updated: gnu: ExifTool: Fix CVE-2021-22204 |
|
Date: |
Sun, 09 May 2021 10:44:04 -0400 |
This is an automated email from the git hooks/post-receive script.
lfam pushed a commit to branch master
in repository guix.
The following commit(s) were added to refs/heads/master by this push:
new 0f2b5f7 gnu: ExifTool: Fix CVE-2021-22204
0f2b5f7 is described below
commit 0f2b5f7f733dbc4c66c1e9f8dbb5189ba6f56a80
Author: Leo Famulari <leo@famulari.name>
AuthorDate: Sun May 9 10:41:02 2021 -0400
gnu: ExifTool: Fix CVE-2021-22204
* gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/photo.scm (perl-image-exiftool)[source]: Use it.
---
gnu/local.mk | 1 +
.../perl-image-exiftool-CVE-2021-22204.patch | 38 ++++++++++++++++++++++
gnu/packages/photo.scm | 1 +
3 files changed, 40 insertions(+)
diff --git a/gnu/local.mk b/gnu/local.mk
index 37166bb..c4bd887 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1525,6 +1525,7 @@ dist_patch_DATA =
\
%D%/packages/patches/perl-cross.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \
%D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
+ %D%/packages/patches/perl-image-exiftool-CVE-2021-22204.patch \
%D%/packages/patches/perl-io-socket-ssl-openssl-1.0.2f-fix.patch \
%D%/packages/patches/perl-net-amazon-s3-moose-warning.patch \
%D%/packages/patches/perl-net-dns-resolver-programmable-fix.patch \
diff --git a/gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch
b/gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch
new file mode 100644
index 0000000..85ea29c
--- /dev/null
+++ b/gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch
@@ -0,0 +1,38 @@
+Fix CVE-2021-22204:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204
+
+Patch extracted from commit cf0f4e7dcd024ca99615bfd1102a841a25dde031
+from upstream source repository:
+
+https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
+
+diff --git a/lib/Image/ExifTool/DjVu.pm b/lib/Image/ExifTool/DjVu.pm
+index c284d10..03b3f9f 100644
+--- a/lib/Image/ExifTool/DjVu.pm
++++ b/lib/Image/ExifTool/DjVu.pm
+@@ -18,7 +18,7 @@ use strict;
+ use vars qw($VERSION);
+ use Image::ExifTool qw(:DataAccess :Utils);
+
+-$VERSION = '1.06';
++$VERSION = '1.07';
+
+ sub ParseAnt($);
+ sub ProcessAnt($$$);
+@@ -227,10 +227,11 @@ Tok: for (;;) {
+ last unless $tok =~ /(\\+)$/ and length($1) & 0x01;
+ $tok .= '"'; # quote is part of the string
+ }
+- # must protect unescaped "$" and "@" symbols, and "\" at end of
string
+- $tok =~ s{\\(.)|([\$\@]|\\$)}{'\\'.($2 || $1)}sge;
+- # convert C escape sequences (allowed in quoted text)
+- $tok = eval qq{"$tok"};
++ # convert C escape sequences, allowed in quoted text
++ # (note: this only converts a few of them!)
++ my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n",
++ r => "\r", t => "\t", '"' => '"', '\\' => '\\' );
++ $tok =~ s/\\(.)/$esc{$1}||'\\'.$1/egs;
+ } else { # key name
+ pos($$dataPt) = pos($$dataPt) - 1;
+ # allow anything in key but whitespace, braces and double quotes
diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index 6a66011..943e8ca 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -328,6 +328,7 @@ MTP, and much more.")
;; New releases may take a while to hit CPAN.
(string-append "https://www.sno.phy.queensu.ca/~phil/exiftool/";
"Image-ExifTool-" version ".tar.gz")))
+ (patches (search-patches "perl-image-exiftool-CVE-2021-22204.patch"))
(sha256
(base32
"0skm22b3gg1bfk0amklrprpva41m6mkrhqp0gi7z1nmcf9ypjh61"))))
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: gnu: ExifTool: Fix CVE-2021-22204,
guix-commits <=