From 0f2b5f7f733dbc4c66c1e9f8dbb5189ba6f56a80 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 9 May 2021 10:41:02 -0400 Subject: gnu: ExifTool: Fix CVE-2021-22204 * gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/photo.scm (perl-image-exiftool)[source]: Use it. --- gnu/local.mk | 1 + .../perl-image-exiftool-CVE-2021-22204.patch | 38 ++++++++++++++++++++++ gnu/packages/photo.scm | 1 + 3 files changed, 40 insertions(+) create mode 100644 gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch diff --git a/gnu/local.mk b/gnu/local.mk index 37166bb2fc..c4bd88714c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1525,6 +1525,7 @@ dist_patch_DATA = \ %D%/packages/patches/perl-cross.patch \ %D%/packages/patches/perl-deterministic-ordering.patch \ %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \ + %D%/packages/patches/perl-image-exiftool-CVE-2021-22204.patch \ %D%/packages/patches/perl-io-socket-ssl-openssl-1.0.2f-fix.patch \ %D%/packages/patches/perl-net-amazon-s3-moose-warning.patch \ %D%/packages/patches/perl-net-dns-resolver-programmable-fix.patch \ diff --git a/gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch b/gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch new file mode 100644 index 0000000000..85ea29cc38 --- /dev/null +++ b/gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch @@ -0,0 +1,38 @@ +Fix CVE-2021-22204: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204 + +Patch extracted from commit cf0f4e7dcd024ca99615bfd1102a841a25dde031 +from upstream source repository: + +https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800 + +diff --git a/lib/Image/ExifTool/DjVu.pm b/lib/Image/ExifTool/DjVu.pm +index c284d10..03b3f9f 100644 +--- a/lib/Image/ExifTool/DjVu.pm ++++ b/lib/Image/ExifTool/DjVu.pm +@@ -18,7 +18,7 @@ use strict; + use vars qw($VERSION); + use Image::ExifTool qw(:DataAccess :Utils); + +-$VERSION = '1.06'; ++$VERSION = '1.07'; + + sub ParseAnt($); + sub ProcessAnt($$$); +@@ -227,10 +227,11 @@ Tok: for (;;) { + last unless $tok =~ /(\\+)$/ and length($1) & 0x01; + $tok .= '"'; # quote is part of the string + } +- # must protect unescaped "$" and "@" symbols, and "\" at end of string +- $tok =~ s{\\(.)|([\$\@]|\\$)}{'\\'.($2 || $1)}sge; +- # convert C escape sequences (allowed in quoted text) +- $tok = eval qq{"$tok"}; ++ # convert C escape sequences, allowed in quoted text ++ # (note: this only converts a few of them!) ++ my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n", ++ r => "\r", t => "\t", '"' => '"', '\\' => '\\' ); ++ $tok =~ s/\\(.)/$esc{$1}||'\\'.$1/egs; + } else { # key name + pos($$dataPt) = pos($$dataPt) - 1; + # allow anything in key but whitespace, braces and double quotes diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm index 6a6601113c..943e8caa90 100644 --- a/gnu/packages/photo.scm +++ b/gnu/packages/photo.scm @@ -328,6 +328,7 @@ MTP, and much more.") ;; New releases may take a while to hit CPAN. (string-append "https://www.sno.phy.queensu.ca/~phil/exiftool/" "Image-ExifTool-" version ".tar.gz"))) + (patches (search-patches "perl-image-exiftool-CVE-2021-22204.patch")) (sha256 (base32 "0skm22b3gg1bfk0amklrprpva41m6mkrhqp0gi7z1nmcf9ypjh61")))) -- cgit v1.2.3