Your message dated Sat, 24 Apr 2021 21:03:25 +0000
with message-id <[email protected]>
and subject line Bug#987505: fixed in libimage-exiftool-perl 12.16+dfsg-2
has caused the Debian Bug report #987505,
regarding CVE-2021-22204: Improper neutralization of directives in dynamically 
evaluated code ('eval injection')
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
987505: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987505
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libimage-exiftool-perl
Version: 7.89-1
Severity: serious
Tags: security upstream patch fixed-upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204

"Improper neutralization of user data in the DjVu file format in
ExifTool versions 7.44 and up allows arbitrary code execution when
parsing the malicious image"

Fixed upstream in 12.24:
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800

Also https://bugs.launchpad.net/bugs/1925985

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmCEfodfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgao/w/9HH5DAYC64RkvniKlsDE3N5dOFDl6lNZ2uVZUadZjkMEHCFqhmjsYc0Tf
y04N09lM1cZcTi4k1czgdcwXE9IwOHmiSK/fBRsreFfBDGRQ26K9OEZ6yQ5mLXJT
d5H3oWCKBQQnGOVb21iqIsB93H+9V1+htbBxPPLNT9ZR8QU0mJlttr2pdLDB/k0Z
oajD5ZBd4b5MAHKND0XJQhD0mN93D8PDekvsFOD7waXFuUGvYeyQTD6XmFVM7liw
pP4ZxabO9Dnd7r0O2vbGjQ52H5BEVehc0nChLrStE3nLzdpFjdG/Ksop3/b/4Mc+
iHEk0EcPWgS41qjyWm1InNek7RHaYEO74hUJ6KCUnHhO/goGj4yq6h1htE0GVree
nrnVtX+cxkp8utZXC7vYoGe31iRz3GDI/MZ/+yd3NZF4xJqIAud/tJREqvJirmbJ
QbtkwprmP4EX0OTbCnJAtTeRl9Crg2TlzQ7h89dEVR1yuG+9EZFxMT9m6hHmxdph
G3YZ1UilJqyX45J+xPCXCriuK+O3y1uszfECOliZhGs1jbyBOXXN5Q5timrbJZnr
1KCtGHsjknOujO/gYqPwb/u/XkWBkdZ24dromBXqHV7lsycHARR0v0DkpcwhiNqE
b3x5mTAvmN1L4QxvfNzRsLUXOVNjjbA3ekG0zsTcApLTvxOrHM8=
=VnEt
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message ---
Source: libimage-exiftool-perl
Source-Version: 12.16+dfsg-2
Done: gregor herrmann <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libimage-exiftool-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libimage-exiftool-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 24 Apr 2021 22:40:21 +0200
Source: libimage-exiftool-perl
Architecture: source
Version: 12.16+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 987505
Changes:
 libimage-exiftool-perl (12.16+dfsg-2) unstable; urgency=medium
 .
   * Add patch CVE-2021-22204.patch, taken from upstream release 12.24.
     The patch fixes CVE-2021-22204: Improper neutralization of user data in
     the DjVu file format in ExifTool versions 7.44 and up allows arbitrary
     code execution when parsing the malicious image.
     Thanks to William Bowling for the bug report on Launchpad.
     (Closes: #987505) (LP: #1925985)
Checksums-Sha1:
 4f23c6c05773f00ff901d11dfc1bba4fe937e0f2 2544 
libimage-exiftool-perl_12.16+dfsg-2.dsc
 6579ec3d099a71a0fa9cf802c282eb4038dae37c 10820 
libimage-exiftool-perl_12.16+dfsg-2.debian.tar.xz
Checksums-Sha256:
 82d15d02941df73061a5a586e2ffd6df993fddccfc17b2fe03ea5a3c70ff18b4 2544 
libimage-exiftool-perl_12.16+dfsg-2.dsc
 77e40f7694d631b9c53dfd57f4495f1948d71b4cffbe78cac2a52795032c32ed 10820 
libimage-exiftool-perl_12.16+dfsg-2.debian.tar.xz
Files:
 a9569666222f953a225b674d2f6d4f2e 2544 perl optional 
libimage-exiftool-perl_12.16+dfsg-2.dsc
 187fe61269d36b2ed864ed186fd70caa 10820 perl optional 
libimage-exiftool-perl_12.16+dfsg-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmCEgp1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgbkGxAAseHXRqMHnesVU7PRT91b+BiuW2JIvjVO8DZiPSLpd0vpfZ6pCMOPuBP9
IvtehDuhitizW29T22lky7+yVMOIs+1CIm4L2TjzSVOoHKC2/PoGlU+rdD5DcQ3V
f2vjzy22lj9D9CsfGM07cPyLcrcINUwZx/8ni2w9kSgoc8FyvxPtKtFv/ZIRE6bz
Xy5a7jSn1ZHA+vjf8GEkoL+PJ2olgjusbLj9Xcoa/KEo6rK+Y+tLEERyVGEdI1gx
5kr86ZUEPHjRYdVIcVrjVtpjs1kEj06FtjXIeYAw5iQbxhqMOBsZJMeFkByXfKoo
gfHSFwNpqsIC9GfbJp15WuN69t3VzpVPdzim7eLR/zyFHZLnjI+NHTGmf0QqbL4L
xQ0wxpQTx1olBoW5aglz5Ks2JDrwo7G96vEDLrPcgfVWUvVlE/iQSxROUetqSS7x
JfzkkfWHdA4xDawxw1Eg7LITQPlv4Q2sBg+Q/ZFR0m3nlm340gfFkhGMzge9eDBG
IT479Bx26WRLUpKOhCp+aUr7RC3kmzFf+xtKIQY5mJ6Hne2dmRrHGYU/AD5lqI+2
IYOJY0RGPDYFsc8fMhz6eE2E1BJfdHSMOjyEHszJobqP/Ik2yyNRxbv9dKUquaMH
WX4RD3z2+eBfFzNC0qh47aW4f/7qjccTsKuTT3JWaE/krx7+9oU=
=oKPh
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to