mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-11-14 19:05:10 -05:00
0f2b5f7f73
* gnu/packages/patches/perl-image-exiftool-CVE-2021-22204.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/photo.scm (perl-image-exiftool)[source]: Use it.
38 lines
1.6 KiB
Diff
38 lines
1.6 KiB
Diff
Fix CVE-2021-22204:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204
|
|
|
|
Patch extracted from commit cf0f4e7dcd024ca99615bfd1102a841a25dde031
|
|
from upstream source repository:
|
|
|
|
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
|
|
|
|
diff --git a/lib/Image/ExifTool/DjVu.pm b/lib/Image/ExifTool/DjVu.pm
|
|
index c284d10..03b3f9f 100644
|
|
--- a/lib/Image/ExifTool/DjVu.pm
|
|
+++ b/lib/Image/ExifTool/DjVu.pm
|
|
@@ -18,7 +18,7 @@ use strict;
|
|
use vars qw($VERSION);
|
|
use Image::ExifTool qw(:DataAccess :Utils);
|
|
|
|
-$VERSION = '1.06';
|
|
+$VERSION = '1.07';
|
|
|
|
sub ParseAnt($);
|
|
sub ProcessAnt($$$);
|
|
@@ -227,10 +227,11 @@ Tok: for (;;) {
|
|
last unless $tok =~ /(\\+)$/ and length($1) & 0x01;
|
|
$tok .= '"'; # quote is part of the string
|
|
}
|
|
- # must protect unescaped "$" and "@" symbols, and "\" at end of string
|
|
- $tok =~ s{\\(.)|([\$\@]|\\$)}{'\\'.($2 || $1)}sge;
|
|
- # convert C escape sequences (allowed in quoted text)
|
|
- $tok = eval qq{"$tok"};
|
|
+ # convert C escape sequences, allowed in quoted text
|
|
+ # (note: this only converts a few of them!)
|
|
+ my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n",
|
|
+ r => "\r", t => "\t", '"' => '"', '\\' => '\\' );
|
|
+ $tok =~ s/\\(.)/$esc{$1}||'\\'.$1/egs;
|
|
} else { # key name
|
|
pos($$dataPt) = pos($$dataPt) - 1;
|
|
# allow anything in key but whitespace, braces and double quotes
|