From a978c074e4272bb901fbe4a10de0a7b2af574f17 Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@redcorelinux.org>
Date: Tue, 4 May 2021 22:28:33 +0100
Subject: gentoo resync : 04.05.2021

---
 media-libs/exiftool/Manifest                       |  2 ++
 media-libs/exiftool/exiftool-12.16-r1.ebuild       | 27 +++++++++++++++++++
 .../files/exiftool-12.16-CVE-2021-22204.patch      | 30 ++++++++++++++++++++++
 3 files changed, 59 insertions(+)
 create mode 100644 media-libs/exiftool/exiftool-12.16-r1.ebuild
 create mode 100644 media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch

(limited to 'media-libs/exiftool')

diff --git a/media-libs/exiftool/Manifest b/media-libs/exiftool/Manifest
index 38889f2e0011..d2cb11ea2b51 100644
--- a/media-libs/exiftool/Manifest
+++ b/media-libs/exiftool/Manifest
@@ -1,5 +1,7 @@
+AUX exiftool-12.16-CVE-2021-22204.patch 1607 BLAKE2B 1cfcdb7c002ba24785b9a7c5e806f2d4cdd5054905858de3d322f81919f37b472f58ebaff14fbce49fb2c88e512488e26dfda603de7e271d0c8a4a1093f6539a SHA512 7a24dfc1962e10e05d14090ede26d292352d9e8d0e1eec2289527bb7577e59eb4e618c7b1b5773dd3a8295b124af10c4082a395d38a6893b5548b3e5a06bf1b7
 DIST Image-ExifTool-12.08.tar.gz 4842868 BLAKE2B 0ad8228f5b40bf51f1e29e4676ecd012de2dec6229452f7655adb543d44e59825a21311f2d09ece5190fdda06b21fbd8cc6a697b164cf6aae94c401d082459e1 SHA512 66e445fe1aca640d4b984cfacb4972f2bc64bcab61dbb014a0486a7d04612ecbd249a2691bcff704957c93467533b383c53883bb409a2064bb8c839ae7c2d4a5
 DIST Image-ExifTool-12.16.tar.gz 4888506 BLAKE2B d262f087b4334c01ed927945aa0b072c90eaf7322af017030ef193b8b20fc7ce7008b69c483bc83d1dbe0ceab5bcb7e894e5085cae853a1d9d74f72b9c8a360e SHA512 adfd21834ccf06277903712b3c5e328b29c56f3b30ee68f6802dca0820823b627622e55f53238690525d1d19df2a59cb57f9d80a1bb2e99da37fb7d963ee16ee
 EBUILD exiftool-12.08.ebuild 543 BLAKE2B 3c64bd7b7a5a26358572ebb599df5c815200cee69bb7121a60d51f94eac2ffec1d6b19027150acf57474e05d8921272c1012dc71d95b1bfcf4abe54d2be44d2d SHA512 d98a45ba549b24053b9fb21a2bf61250fd73f5ca478dd24db1f1925e7d0c6956d183f235b7a4542b96794500284916e10d6c2eef73a82ea94338f74f5c35dfac
+EBUILD exiftool-12.16-r1.ebuild 609 BLAKE2B 0f00d05c49ab0bd21777725ef01e8198bcd5b4b56811d579c11628f81726dfbe9f70b2f927a796f1c5c66170d54f05de238dc065fad420822b19543368ab4d90 SHA512 e946de1f26f99ae982ee2b27e281158415bd2b675b680fbe9304cd9d52818762c227954530b471f13a5b894fc496b549088633d900e109296120e4bc5584175e
 EBUILD exiftool-12.16.ebuild 548 BLAKE2B 4fe20c6aff48822e2830453d416740ccbd257ef0fb28164793f8cc3ff9e4ccd5448983e2a2008546f9ccd57a8e57685f2e06d01d5d7ab6bd5caae0f0fab79aeb SHA512 8ee2add456ad6eb6ce386075e6498e9cdd250434e0e881a6201febdc8fa9abfa1b7e5041d63bad0907c23df0e8d412476081bc33c1bf17ea6a9f664fcdd0c842
 MISC metadata.xml 10039 BLAKE2B da44aad7d46d49683f89fa75db8c92230b9088cd14a5c8715a9f3a982843d8a348393f1bd10bdcc08d5d6dc4e5f2fbf0fdd517ce88df2180807796fbd5c06b32 SHA512 c4647e7055ffcae7226aa2bdff458576cc0fef14f6d782a16695902f4af96740a96f0388398eafbdca22ee76a0c808c81dafc2ccc583f8218c718f69c8fd0da9
diff --git a/media-libs/exiftool/exiftool-12.16-r1.ebuild b/media-libs/exiftool/exiftool-12.16-r1.ebuild
new file mode 100644
index 000000000000..3c8849a0fcc9
--- /dev/null
+++ b/media-libs/exiftool/exiftool-12.16-r1.ebuild
@@ -0,0 +1,27 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+DIST_NAME=Image-ExifTool
+inherit perl-module
+
+DESCRIPTION="Read and write meta information in image, audio and video files"
+HOMEPAGE="https://exiftool.org/"
+SRC_URI="https://exiftool.org/${DIST_P}.tar.gz"
+
+SLOT="0"
+KEYWORDS="amd64 ~arm64 ppc ~ppc64 ~x86 ~x64-macos"
+IUSE="doc"
+
+PATCHES=( "${FILESDIR}"/exiftool-12.16-CVE-2021-22204.patch )
+
+SRC_TEST="do"
+
+src_install() {
+	perl-module_src_install
+	use doc && dodoc -r html/
+
+	insinto /usr/share/${PN}
+	doins -r fmt_files config_files arg_files
+}
diff --git a/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch b/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch
new file mode 100644
index 000000000000..1c9e7921c6bb
--- /dev/null
+++ b/media-libs/exiftool/files/exiftool-12.16-CVE-2021-22204.patch
@@ -0,0 +1,30 @@
+Description: Fix 'eval injection".
+ CVE-2021-22204: Improper neutralization of user data in the DjVu file
+ format in ExifTool versions 7.44 and up allows arbitrary code execution
+ when parsing the malicious image
+Origin: upstream release 12.24
+Bug-Debian: https://bugs.debian.org/987505
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1925985
+Author: Phil Harvey <philharvey66@gmail.com>
+Reviewed-by: gregor herrmann <gregoa@debian.org>
+Last-Update: 2021-04-24
+Applied-Upstream: https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
+
+--- a/lib/Image/ExifTool/DjVu.pm
++++ b/lib/Image/ExifTool/DjVu.pm
+@@ -227,10 +227,11 @@
+                 last unless $tok =~ /(\\+)$/ and length($1) & 0x01;
+                 $tok .= '"';    # quote is part of the string
+             }
+-            # must protect unescaped "$" and "@" symbols, and "\" at end of string
+-            $tok =~ s{\\(.)|([\$\@]|\\$)}{'\\'.($2 || $1)}sge;
+-            # convert C escape sequences (allowed in quoted text)
+-            $tok = eval qq{"$tok"};
++            # convert C escape sequences, allowed in quoted text
++            # (note: this only converts a few of them!)
++            my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n",
++                        r => "\r", t => "\t", '"' => '"', '\\' => '\\' );
++            $tok =~ s/\\(.)/$esc{$1}||'\\'.$1/egs;
+         } else {                # key name
+             pos($$dataPt) = pos($$dataPt) - 1;
+             # allow anything in key but whitespace, braces and double quotes
-- 
cgit v1.2.3