** Changed in: libimage-exiftool-perl (Ubuntu)
Status: In Progress => Fix Released
** Changed in: libimage-exiftool-perl (Ubuntu)
Importance: Medium => High
** Changed in: libimage-exiftool-perl (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: libimage-exiftool-perl (Ubu
Thanks Alex, Paulo and Gregor. Great to have this released!
And thanks for the learning opportunity. As in, my help probably didn't
actually save you any time in the short run, because the only thing I
effectively did was change the changelog of the upstream patch, and you
had to redo that anyway
Hello Hugo, Thanks for the help! I've published your backport for
bionic, focal, groovy, and hirsute. The changelog was a little different
to be in the format that we use. About the version number, we use major
numbers (like ubuntu1) when is a devel release otherwise we increment
the minor number (
This bug was fixed in the package libimage-exiftool-perl -
10.80-1ubuntu0.1
---
libimage-exiftool-perl (10.80-1ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2021-22204.patch: Improper neutralization of user
data
This bug was fixed in the package libimage-exiftool-perl -
11.88-1ubuntu0.1
---
libimage-exiftool-perl (11.88-1ubuntu0.1) focal-security; urgency=medium
* SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2021-22204.patch: Improper neutralization of user
data
This bug was fixed in the package libimage-exiftool-perl -
12.05-1ubuntu0.1
---
libimage-exiftool-perl (12.05-1ubuntu0.1) groovy-security; urgency=medium
* SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2021-22204.patch: Improper neutralization of user
data
This bug was fixed in the package libimage-exiftool-perl - 12.16+dfsg-
1ubuntu0.1
---
libimage-exiftool-perl (12.16+dfsg-1ubuntu0.1) hirsute-security; urgency=medium
* SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2021-22204.patch: Improper neutralization of use
** Also affects: libimage-exiftool-perl (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: libimage-exiftool-perl (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: libimage-exiftool-perl (Ubuntu Hirsute)
Importance: Undecided
Status:
On Wed, 09 Jun 2021 19:37:15 -, Hugo Buddelmeijer wrote:
> Also, I've added my name to the changelog, even though @gregoa Gregor
> Herrmann did the actual work, which is credited in the changelog. I
> don't care about getting credit for this, so feel free to change the
> changelog.
FWIW, I'm
Following https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue , I can now
subscribe ubuntu-security-sponsors :
1. Your patch is in debdiff format
It is.
2. The patch follows the security team update procedures. Especially:
- targeted against the security pocket of a stable release
I think so,
Attached is a debdiff that fixes CVE-2021-22204 on libimage-exiftool-
perl 11.88-1; dch automatically changed the version to 11.88-1ubuntu1.
I simply checked out https://salsa.debian.org/perl-team/modules/packages
/libimage-exiftool-perl/-/tree/debian/11.88-1 , cherry-picked
https://salsa.debian.o
Thank you Alex for your explanation. Below my conclusions after digging
around to learn more about how exiftool ends up in Ubuntu.
It seems that Ubuntu is using the debian version of libimage-exiftool-
perl as-is. Therefore it was probably easy to get the fix released for
Ubuntu 21.10 because it u
Launchpad is tracking the status against the current development release
of Ubuntu (21.10) only - as can be see on the Ubuntu CVE tracker,
https://ubuntu.com/security/CVE-2021-22204 this is not resolved for
other Ubuntu releases yet.
Also since the package referred to in this bug is in universe or
The status of this bug says "Fix Released". How can one install this
released fix on Ubuntu 20.04.2 LTS (Focal Fossa)?
The publicly available proof of concept arbitrary code execution on
hackerone [1] works as-is on the latest exiftool (11.88-1) in the focal
repositories. This makes it a security
** Changed in: libimage-exiftool-perl (Ubuntu)
Importance: Undecided => Medium
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1925985
Titl
This bug was fixed in the package libimage-exiftool-perl - 12.16+dfsg-2
---
libimage-exiftool-perl (12.16+dfsg-2) unstable; urgency=medium
* Add patch CVE-2021-22204.patch, taken from upstream release 12.24.
The patch fixes CVE-2021-22204: Improper neutralization of user data in
** Changed in: libimage-exiftool-perl (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1925985
Title:
CVE-2021-22204
To manage notifications about this
** Changed in: libimage-exiftool-perl (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1925985
Title:
CVE-2021-22204
To manage notifications about this bug go
** Bug watch added: Debian Bug tracker #987505
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987505
** Also affects: libimage-exiftool-perl (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987505
Importance: Unknown
Status: Unknown
--
You received this bug notif
19 matches
Mail list logo
