openSUSE Security Update : perl-Image-ExifTool (openSUSE-2021-707)

high Nessus Plugin ID 149550

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for perl-Image-ExifTool fixes the following issues :

Update to version 12.25 fixes (boo#1185547 CVE-2021-22204)

- JPEG XL support is now official

- Added read support for Medical Research Council (MRC) image files

- Added ability to write a number of 3gp tags in video files

- Added a new Sony PictureProfile value (thanks Jos Roost)

- Added a new Sony LensType (thanks LibRaw)

- Added a new Nikon LensID (thanks Niels Kristian Bech Jensen)

- Added a new Canon LensType

- Decode more GPS information from Blackvue dashcam videos

- Decode a couple of new NikonSettings tags (thanks Warren Hatch)

- Decode a few new RIFF tags

- Improved Validate option to add minor warning if standard XMP is missing xpacket wrapper

- Avoid decoding some large arrays in DNG images to improve performance unless the -m option is used

- Patched bug that could give runtime warning when trying to write an empty XMP structure

- Fixed decoding of ImageWidth/Height for JPEG XL images

- Fixed problem were Microsoft Xtra tags couldn't be deleted

version 12.24 :

- Added a new PhaseOne RawFormat value (thanks LibRaw)

- Decode a new Sony tag (thanks Jos Roost)

- Decode a few new Panasonic and FujiFilm tags (thanks LibRaw and Greybeard)

- Patched security vulnerability in DjVu reader

- Updated acdsee.config in distribution (thanks StarGeek)

- Recognize AutoCAD DXF files

- More work on experimental JUMBF read support

- More work on experimental JPEG XL read/write support

version 12.23 :

- Added support for Olympus ORI files

- Added experimental read/write support for JPEG XL images

- Added experimental read support for JUMBF metadata in JPEG and Jpeg2000 images

- Added built-in support for parsing GPS track from Denver ACG-8050 videos with the -ee option

- Added a some new Sony lenses (thanks Jos Roost and LibRaw)

- Changed priority of Samsung trailer tags so the first DepthMapImage takes precedence when -a is not used

- Improved identification of M4A audio files

- Patched to avoid escaping ',' in 'Binary data' message when

-struct is used

- Removed Unknown flag from MXF VideoCodingSchemeID tag

- Fixed -forcewrite=EXIF to apply to EXIF in binary header of EPS files

- API Changes :

+ Added BlockExtract option

version 12.22 :

- Added a few new Sony LensTypes and a new SonyModelID (thanks Jos Roost and LibRaw)

- Added Extra BaseName tag

- Added a new CanonModelID (thanks LibRaw)

- Decode timed GPS from unlisted programs in M2TS videos with the -ee3 option

- Decode more Sony rtmd tags

- Decode some tags for the Sony ILME-FX3 (thanks Jos Roost)

- Allow negative values to be written to XMP-aux:LensID

- Recognize HEVC video program in M2TS files

- Enhanced -b option so --b suppresses tags with binary data

- Improved flexibility when writing GPS coordinates :

+ Now pulls latitude and longitude from a combined GPSCoordinates string

+ Recognizes the full word 'South' and 'West' to write negative coordinates

- Improved warning when trying to write an integer QuickTime date/time tag and Time::Local is not available

- Convert GPSSpeed from mph to km/h in timed GPS from Garmin MP4 videos

version 12.21 :

- Added a few new iOS QuickTime tags

- Decode a couple more Sony rtmd tags

- Patch to avoid possible 'Use of uninitialized value' warning when attempting to write QuickTime date/time tags with an invalid value

- Fixed problem writing Microsoft Xtra tags

- Fixed Windows daylight savings time patch for file times that was broken in 12.19 (however directory times will not yet handle DST properly)

version 12.20 :

- Added ability to write some Microsoft Xtra tags in MOV/MP4 videos

- Added two new Canon LensType values (thanks Norbert Wasser)

- Added a new Nikon LensID

- Fixed problem reading FITS comments that start before column 11

version 12.19 :

- Added -list_dir option

- Added the 'ls-l' Shortcut tag

- Extract Comment and History from FITS files

- Enhanced FilePermissions to include device type (similar to 'ls -l')

- Changed the name of Apple ContentIdentifier tag to MediaGroupUUID (thanks Neal Krawetz)

- Fixed a potential 'substr outside of string' runtime error when reading corrupted EXIF

- Fixed edge case where NikonScanIFD may not be copied properly when copying MakerNotes to another file

- API Changes :

+ Added ability to read/write System tags of directories

+ Enhanced GetAllGroups() to support family 7 and take optional ExifTool reference

+ Changed QuickTimeHandler option default to 1

version 12.18 :

- Added a new SonyModelID

- Decode a number of Sony tags for the ILCE-1 (thanks Jos Roost)

- Decode a couple of new Canon tags (thanks LibRaw)

- Patched to read differently formatted UserData:Keywords as written by iPhone

- Patched to tolerate out-of-order Nikon MakerNote IFD entries when obtaining tags necessary for decryption

- Fixed a few possible Condition warnings for some NikonSettings tags

version 12.17 :

- Added a new Canon FocusMode value

- Added a new FujiFilm FilmMode value

- Added a number of new XMP-crs tags (thanks Herb)

- Decode a new H264 MDPM tag

- Allow non-conforming lower-case XMP boolean 'true' and 'false' values to be written, but only when print conversion is disabled

- Improved Validate option to warn about non-capitalized boolean XMP values

- Improved logic for setting GPSLatitude/LongitudeRef values when writing

- Changed -json and -php options so the -a option is implied even without the -g option

- Avoid extracting audio/video data from AVI videos when
-ee

-u is used

- Patched decoding of Canon ContinuousShootingSpeed for newer firmware versions of the EOS-1DXmkIII

- Re-worked LensID patch of version 12.00 (github issue #51)

- Fixed a few typos in newly-added NikonSettings tags (thanks Herb)

- Fixed problem where group could not be specified for PNG-pHYs tags when writing version 12.16 :

- Extract another form of video subtitle text

- Enhanced -ee option with -ee2 and -ee3 to allow parsing of the H264 video stream in MP4 files

- Changed a Nikon FlashMode value

- Fixed problem that caused a failed DPX test on Strawberry Perl

- API Changes :

+ Enhanced ExtractEmbedded option

version 12.15 :

- Added a couple of new Sony LensType values (thanks LibRaw and Jos Roost)

- Added a new Nikon FlashMode value (thanks Mike)

- Decode NikonSettings (thanks Warren Hatch)

- Decode thermal information from DJI RJPEG images

- Fixed extra newline in -echo3 and -echo4 outputs added in version 12.10

- Fixed out-of-memory problem when writing some very large PNG files under Windows

version 12.14 :

- Added support for 2 more types of timed GPS in video files (that makes 49 different formats now supported)

- Added validity check for PDF trailer dictionary Size

- Added a new Pentax LensType

- Extract metadata from Jpeg2000 Association box

- Changed -g:XX:YY and -G:XX:YY options to show empty strings for non-existent groups

- Patched to issue warning and avoid writing date/time values with a zero month or day number

- Patched to avoid runtime warnings if trying to set FileName to an empty string

- Fixed issue that could cause GPS test number 12 to fail on some systems

- Fixed problem extracting XML as a block from Jpeg2000 images, and extract XML tags in the XML group instead of XMP

- Update URL

update to 12.13 :

- Add time zone automatically to most string-based QuickTime date/time tags when writing unless the PrintConv option is disabled

- Added -i HIDDEN option to ignore files with names that start with '.'

- Added a few new Nikon ShutterMode values (thanks Jan Skoda)

- Added ability to write Google GCamera MicroVideo XMP tags

- Decode a new Sony tag (thanks LibRaw)

- Changed behaviour when writing only pseudo tags to return an error and avoid writing any other tags if writing FileName fails

- Print 'X image files read' message even if only 1 file is read when at least one other file has failed the -if condition

- Added ability to geotag from DJI CSV log files

- Added a new CanonModelID

- Added a couple of new Sony LensType values (thanks LibRaw)

- Enhanced -csvDelim option to allow '\t', ' ', '\r' and '\\'

- Unescape '\b' and '\f' in imported JSON values

- Fixed bug introduced in 12.10 which generated a 'Not an integer' warning when attempting to shift some QuickTime date/time tags

- Fixed shared-write permission problem with -@ argfile when using -stay_open and a filename containing special characters on Windows

- Added -csvDelim option

- Added new Canon and Olympus LensType values (thanks LibRaw)

- Added a warning if ICC_Profile is deleted from an image (github issue #63)

- EndDir() function for -if option now works when
-fileOrder is used

- Changed FileSize conversion to use binary prefixes since that is how the conversion is currently done (eg. MiB instead of MB)

- Patched -csv option so columns aren't resorted when using -G option and one of the tags is missing from a file

- Fixed incompatiblity with Google Photos when writing UserData:GPSCoordinates to MP4 videos

- Fixed problem where the tags available in a -p format string were limited to the same as the -if[NUM] option when NUM was specified

- Fixed incorrect decoding of SourceFileIndex/SourceDirectoryIndex for Ricoh models

Update to 12.10

- Added -validate test for proper TIFF magic number in JPEG EXIF header

- Added support for Nikon Z7 LensData version 0801

- Added a new XMP-GPano tag

- Decode ColorData for the Canon EOS 1DXmkIII

- Decode more tags for the Sony ILCE-7SM3

- Automatically apply QuickTimeUTC option for CR3 files

- Improved decoding of XAttrMDLabel from MacOS files

- Ignore time zones when writing date/time values and using the -d option

- Enhanced -echo3 and -echo4 options to allow exit status to be returned

- Changed -execute so the -q option no longer suppresses the '(ready)' message when a synchronization number is used

- Added ability to copy CanonMakerNotes from CR3 images to other file types

- Added read support for ON1 presets file (.ONP)

- Added two new CanonModelID values

- Added trailing '/' when writing QuickTime:GPSCoordinates

- Added a number of new XMP-crs tags

- Added a new Sony LensType (thanks Jos Roost)

- Added a new Nikon Z lens (thanks LibRaw)

- Added a new Canon LensType

- Decode ColorData for Canon EOS R5/R6

- Decode a couple of new HEIF tags

- Decode FirmwareVersion for Canon M50

- Improved decoding of Sony CreativeStyle tags

- Improved parsing of Radiance files to recognize comments

- Renamed GIF AspectRatio tag to PixelAspectRatio

- Patched EndDir() feature so subdirectories are always processed when -r is used (previously, EndDir() would end processing of a directory completely)

- Avoid loading GoPro module unnecessarily when reading MP4 videos from some other cameras

- Fixed problem with an incorrect naming of CodecID tags in some MKV videos

- Fixed verbose output to avoid 'adding' messages for existing flattened XMP tags

- Added a new Sony LensType

- Recognize Mac OS X xattr files

- Extract ThumbnailImage from MP4 videos of more dashcam models

- Improved decoding of a number of Sony tags

- Fixed problem where the special -if EndDir() function didn't work properly for directories after the one in which it was initially called

- Patched to read DLL files which don't have a .rsrc section

- Patched to support new IGC date format when geotagging

- Patched to read DLL files with an invalid size in the header

- Added support for GoPro .360 videos

- Added some new Canon RF and Nikkor Z lenses

- Added some new Sony LensType and CreativeStyle values and decode some ILCE-7C tags

- Added a number of new Olympus SceneMode values

- Added a new Nikon LensID

- Decode more timed metadata from Insta360 videos

- Decode timed GPS from videos of more Garmin dashcam models

- Decode a new GoPro video tag

- Reformat time-only EventTime values when writing and prevent arbitrary strings from being written

- Patched to accept backslashes in SourceFile entries for
-csv option

update to 12.06

- Added read support for Lyrics3 metadata (and fixed problem where APE metadata may be ignored if Lyrics3 exists)

- Added a new Panasonic VideoBurstMode value

- Added a new Olympus MultipleExposureMode value

- Added a new Nikon LensID

- Added back conversions for XMP-dwc EventTime that were removed in 12.04 with a patch to allow time-only values

- Decode GIF AspectRatio

- Decode Olympus FocusBracketStepSize

- Extract PNG iDOT chunk in Binary format with the name AppleDataOffsets

- Process PNG images which do not start with mandatory IHDR chunk

- Added a new Panasonic SelfTimer value

- Decode a few more DPX tags

- Extract AIFF APPL tag as ApplicationData

- Fixed bug writing QuickTime ItemList 'gnre' Genre values

- Fixed an incorrect value for Panasonic VideoBurstResolution

- Fixed problem when applying a time shift to some invalid makernote date/time values

update to 12.04 :

- See /usr/share/doc/packages/perl-Image-ExifTool/Change

update to 11.50, see Image-ExifTool-11.50.tar.gz for details

Update to version 11.30 :

- Add a new Sony/Minolta LensType.

- Decode streaming metadata from TomTom Bandit Action Cam MP4 videos.

- Decode Reconyx HF2 PRO maker notes.

- Decode ColorData for some new Canon models.

- Enhanced -geotag feature to set AmbientTemperature if available.

- Remove non-significant spaces from some DICOM values.

- Fix possible ''x' outside of string' error when reading corrupted EXIF.

- Fix incorrect write group for GeoTIFF tags.

Update to version 11.29

- See /usr/share/doc/packages/perl-Image-ExifTool/Changes

Update to version 11.27

- See /usr/share/doc/packages/perl-Image-ExifTool/Changes

Update to version 11.24

- See /usr/share/doc/packages/perl-Image-ExifTool/Changes

Update to version 11.11 (changes since 11.01) :

- See /usr/share/doc/packages/perl-Image-ExifTool/Changes

Update to 11.01 :

- Added a new ProfileCMMType

- Added a Validate warning about non-standard EXIF or XMP in PNG images

- Added a new Canon LensType

- Decode a couple more PanasonicRaw tags

- Patched to avoid adding tags to QuickTime videos with multiple 'mdat' atoms --> avoids potential corruption of these videos!

Update to 11.00 :

- Added read support for WTV and DVR-MS videos

- Added print conversions for some ASF date/time tags

- Added a new SonyModelID

- Decode a new PanasonicRaw tag

- Decode some new Sony RX100 VI tags

- Made Padding and OffsetSchema tags 'unsafe' so they aren't copied by default

Solution

Update the affected perl-Image-ExifTool packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1185547

Plugin Details

Severity: High

ID: 149550

File Name: openSUSE-2021-707.nasl

Version: 1.6

Type: local

Agent: unix

Published: 5/18/2021

Updated: 7/25/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-22204

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:15.2, p-cpe:/a:novell:opensuse:exiftool, p-cpe:/a:novell:opensuse:perl-image-exiftool, p-cpe:/a:novell:opensuse:perl-file-randomaccess

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/10/2021

Vulnerability Publication Date: 4/23/2021

CISA Known Exploited Vulnerability Due Dates: 12/1/2021

Exploitable With

Metasploit (ExifTool DjVu ANT Perl injection)

Reference Information

CVE: CVE-2021-22204