oss-sec mailing list archives

[CVE-2021-22204] ExifTool - Arbitrary code execution in the DjVu module when parsing a malicious image

From: William Bowling <will () wbowling info>
Date: Sun, 9 May 2021 14:32:25 +1000

ExifTool 7.44 to 12.23 has a bug in the DjVu module which allows for
arbitrary code execution when parsing malicious images. The bug can be
triggered from a wide variety of valid file formats.

The bug has been fixed in version 12.24.


References:

Fixed release - https://exiftool.org/history.html#v12.24
Upstream patch -
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204

--

GPG Key ID: 0x980F711A

GPG Key Fingerprint: AA38 2A0E 7D22 18A9 6086  0289 41DC E04B 980F 711A

Current thread:

[CVE-2021-22204] ExifTool - Arbitrary code execution in the DjVu module when parsing a malicious image William Bowling (May 09)
- Re: [CVE-2021-22204] ExifTool - Arbitrary code execution in the DjVu module when parsing a malicious image Jakub Wilk (May 10)