Text only | Text with Images

ExifTool Forum

ExifTool => Bug Reports / Feature Requests => Topic started by: Neal Krawetz on November 21, 2021, 06:51:19 PM

Title: CVE-2021-22205?
Post by: Neal Krawetz on November 21, 2021, 06:51:19 PM
Is CVE-2021-22205 a bug in ExifTool or is it limited to GitLab?

https://gitlab.com/gitlab-org/gitlab/-/issues/327121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22205
https://hackerone.com/reports/1154542
Title: Re: CVE-2021-22205?
Post by: Neal Krawetz on November 21, 2021, 06:54:39 PM
The bug appears to be that GitLab pumps files through ExifTool to remove metadata from JPEG files.
However, if the file is a djvu, then it can run arbitrary code.  (Let me know if I have that wrong.)

In https://gitlab.com/gitlab-org/gitlab/-/issues/327121, there is a quoted comment from Phil (2021-04-08?).  If this is fixed, what version of ExifTool contains the fix?
Title: Re: CVE-2021-22205?
Post by: StarGeek on November 21, 2021, 09:33:05 PM
Apr. 13, 2021 - Version 12.24 (https://exiftool.org/ancient_history.html#v12.24)
Title: Re: CVE-2021-22205?
Post by: Neal Krawetz on November 21, 2021, 11:28:03 PM
Thank you.

I'm surprised that isn't mentioned in the CVE.
(Glad to know my own use of ExifTool was patched months ago.)
Text only | Text with Images