diff options
author | Phil Harvey <philharvey66@gmail.com> | 2021-04-24 22:40:21 +0200 |
---|---|---|
committer | gregor herrmann <gregoa@debian.org> | 2021-04-24 22:40:21 +0200 |
commit | e8575c863921fa4b4b5ad60273345d251f692b6b (patch) | |
tree | 4b952cd5d539e2de5266d9610cdc025c993ff584 | |
parent | 5f175b3bb7db706cf840d8ee0f292a64e0abfae2 (diff) |
Fix 'eval injection".archive/debian/12.16+dfsg-2
Origin: upstream release 12.24
Bug-Debian: https://bugs.debian.org/987505
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1925985
Reviewed-by: gregor herrmann <gregoa@debian.org>
Last-Update: 2021-04-24
Applied-Upstream: https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
CVE-2021-22204: Improper neutralization of user data in the DjVu file
format in ExifTool versions 7.44 and up allows arbitrary code execution
when parsing the malicious image
Gbp-Pq: Name CVE-2021-22204.patch
-rw-r--r-- | lib/Image/ExifTool/DjVu.pm | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/lib/Image/ExifTool/DjVu.pm b/lib/Image/ExifTool/DjVu.pm index c284d104..661cc1fb 100644 --- a/lib/Image/ExifTool/DjVu.pm +++ b/lib/Image/ExifTool/DjVu.pm @@ -227,10 +227,11 @@ Tok: for (;;) { last unless $tok =~ /(\\+)$/ and length($1) & 0x01; $tok .= '"'; # quote is part of the string } - # must protect unescaped "$" and "@" symbols, and "\" at end of string - $tok =~ s{\\(.)|([\$\@]|\\$)}{'\\'.($2 || $1)}sge; - # convert C escape sequences (allowed in quoted text) - $tok = eval qq{"$tok"}; + # convert C escape sequences, allowed in quoted text + # (note: this only converts a few of them!) + my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n", + r => "\r", t => "\t", '"' => '"', '\\' => '\\' ); + $tok =~ s/\\(.)/$esc{$1}||'\\'.$1/egs; } else { # key name pos($$dataPt) = pos($$dataPt) - 1; # allow anything in key but whitespace, braces and double quotes |