Bug 1185547 – VUL-0: CVE-2021-22204: perl-Image-ExifTool: Arbitrary code execution in ExifTool

Bug 1185547 - (CVE-2021-22204) VUL-0: CVE-2021-22204: perl-Image-ExifTool: Arbitrary code execution in ExifTool

(CVE-2021-22204)
Summary:	VUL-0: CVE-2021-22204: perl-Image-ExifTool: Arbitrary code execution in ExifTool

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Other
Version:	Current
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Alexei Sorokin
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-05-03 06:13 UTC by Luigi Baldoni
Modified:	2021-05-11 08:52 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Luigi Baldoni 2021-05-03 06:13:30 UTC

As per subject, fixed in 12.24+.

Comment 1 Robert Frohl 2021-05-03 08:28:20 UTC

"Improper neutralization of user data in the DjVu file format in
ExifTool versions 7.44 and up allows arbitrary code execution when
parsing the malicious image"

references:

https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800 	
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json 	
https://hackerone.com/reports/1154542 	
https://www.debian.org/security/2021/dsa-4910
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204

Comment 2 OBSbugzilla Bot 2021-05-04 10:50:03 UTC

This is an autogenerated message for OBS integration:
This bug (1185547) was mentioned in
https://build.opensuse.org/request/show/890301 Backports:SLE-15-SP3 / perl-Image-ExifTool

Comment 3 OBSbugzilla Bot 2021-05-05 07:50:05 UTC

This is an autogenerated message for OBS integration:
This bug (1185547) was mentioned in
https://build.opensuse.org/request/show/890552 15.2+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / perl-Image-ExifTool

Comment 4 Swamp Workflow Management 2021-05-10 22:19:15 UTC

openSUSE-SU-2021:0707-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1185547
CVE References: CVE-2021-22204
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    perl-Image-ExifTool-12.25-lp152.4.3.1
openSUSE Backports SLE-15-SP2 (src):    perl-Image-ExifTool-12.25-bp152.4.3.1
openSUSE Backports SLE-15-SP1 (src):    perl-Image-ExifTool-12.25-bp151.4.3.1

Comment 5 Marcus Meissner 2021-05-11 08:52:48 UTC

done