me
/
guix
Archived
1
0
Fork 0
Code

gnu: ExifTool: Fix CVE-2021-22204 

* gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/photo.scm (perl-image-exiftool)[source]: Use it.
master
Leo Famulari 2021-05-09 10:41:02 -04:00
parent f661e6883e
commit 0f2b5f7f73
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
3 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
gnu/local.mk
View File

@ -1525,6 +1525,7 @@ dist_patch_DATA = \
%D%/packages/patches/perl-cross.patch \ %D%/packages/patches/perl-cross.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \ %D%/packages/patches/perl-deterministic-ordering.patch \
%D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \ %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
%D%/packages/patches/perl-image-exiftool-CVE-2021-22204.patch \
%D%/packages/patches/perl-io-socket-ssl-openssl-1.0.2f-fix.patch \ %D%/packages/patches/perl-io-socket-ssl-openssl-1.0.2f-fix.patch \
%D%/packages/patches/perl-net-amazon-s3-moose-warning.patch \ %D%/packages/patches/perl-net-amazon-s3-moose-warning.patch \
%D%/packages/patches/perl-net-dns-resolver-programmable-fix.patch \ %D%/packages/patches/perl-net-dns-resolver-programmable-fix.patch \

38
gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch 100644
View File

@ -0,0 +1,38 @@
Fix CVE-2021-22204:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204
Patch extracted from commit cf0f4e7dcd024ca99615bfd1102a841a25dde031
from upstream source repository:
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
diff --git a/lib/Image/ExifTool/DjVu.pm b/lib/Image/ExifTool/DjVu.pm
index c284d10..03b3f9f 100644
--- a/lib/Image/ExifTool/DjVu.pm
+++ b/lib/Image/ExifTool/DjVu.pm
@@ -18,7 +18,7 @@ use strict;
use vars qw($VERSION);
use Image::ExifTool qw(:DataAccess :Utils);
-$VERSION = '1.06';
+$VERSION = '1.07';
sub ParseAnt($);
sub ProcessAnt($$$);
@@ -227,10 +227,11 @@ Tok: for (;;) {
last unless $tok =~ /(\\+)$/ and length($1) & 0x01;
$tok .= '"'; # quote is part of the string
}
- # must protect unescaped "$" and "@" symbols, and "\" at end of string
- $tok =~ s{\\(.)|([\$\@]|\\$)}{'\\'.($2 || $1)}sge;
- # convert C escape sequences (allowed in quoted text)
- $tok = eval qq{"$tok"};
+ # convert C escape sequences, allowed in quoted text
+ # (note: this only converts a few of them!)
+ my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n",
+ r => "\r", t => "\t", '"' => '"', '\\' => '\\' );
+ $tok =~ s/\\(.)/$esc{$1}||'\\'.$1/egs;
} else { # key name
pos($$dataPt) = pos($$dataPt) - 1;
# allow anything in key but whitespace, braces and double quotes

1
gnu/packages/photo.scm
View File

@ -328,6 +328,7 @@ MTP, and much more.")
;; New releases may take a while to hit CPAN. ;; New releases may take a while to hit CPAN.
(string-append "https://www.sno.phy.queensu.ca/~phil/exiftool/" (string-append "https://www.sno.phy.queensu.ca/~phil/exiftool/"
"Image-ExifTool-" version ".tar.gz"))) "Image-ExifTool-" version ".tar.gz")))
(patches (search-patches "perl-image-exiftool-CVE-2021-22204.patch"))
(sha256 (sha256
(base32 (base32
"0skm22b3gg1bfk0amklrprpva41m6mkrhqp0gi7z1nmcf9ypjh61")))) "0skm22b3gg1bfk0amklrprpva41m6mkrhqp0gi7z1nmcf9ypjh61"))))