Thank you Alex for your explanation. Below my conclusions after digging around to learn more about how exiftool ends up in Ubuntu.
It seems that Ubuntu is using the debian version of libimage-exiftool- perl as-is. Therefore it was probably easy to get the fix released for Ubuntu 21.10 because it uses the same version of libimage-exiftool-perl as debian testing and unstable (12.16); that is, the debian patch could be used as-is. However, backporting the patch specifically for Ubuntu 20.04 (LTS) seems to be required, because Ubuntu 20.04 uses 11.88 and debian stable uses 11.16. Debian patched their 11.16, so maybe it is easy to apply that patch to 11.88 as well. I'm not really sure where that patch would need to go though. The debian team would have no use for it in their repository, so might not want it there. There is probably a mechanism to have Ubuntu specific patches on top of the debian ones. This patch procedure is probably described in the link you gave, so I'll have to read that more carefully. Contributing to Ubuntu packages is new to me, so I don't feel comfortable to commit to that yet, but I'm inclined to give it a try (if time permits). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1925985 Title: CVE-2021-22204 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimage-exiftool-perl/+bug/1925985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
