Ubuntu
libimage-exiftool-perl package

[MIR] libimage-exiftool-perl

Bug #1471476 reported by Till Kamppeter
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libimage-exiftool-perl (Ubuntu)
Fix Released
High
Unassigned

Bug Description

[Availability]

libimage-exiftool-perl is already available in Universe and is architecture-independent, therefore available for all supported architectures.

[Rationale]

libimage-exiftool-perl is used by the debian/license-miner script in the Ghostscript package which is run at build time. It separates copyright/license data from binary files (images, fonts, ...) and drops them in separate text files so that the licensecheck utility of the devscripts package can find all copyrights and licenses of the Ghostscript upstream source. So this package is needed by the current ghostscript package as synced from Debian.

[Security]

No open or solved security issues or CVEs found.

This is a standard Perl library package consisting of only Perl code and documentation packaged in the standard way for Perl libraries. There is no SUID, SGID, /usr/sbin/*, daemons, does not listen on any port.

[Quality assurance]

Simple Perl library package, no direct user interaction, no UI or GUI, contains only the usual *.pm and *.pl files. API is documented by man pages.

No debconf questions asked during install.

Only one Ubuntu bug, no open Debian bugs.

Package is maintained, there are regular package uploads. Upstream version is the current one.

watch file is included.

[Dependencies]

Nothing special, only standard build tools which are in Main.

[Standards compliance]

Library package packaged following the standards for Perl libraries. no UI/GUI .

[Maintenance]

Regular uploads by the package maintainer. Current package upstream version is the actually current upstream version.

[Background information]

Package is for readin out meta data from image files. It is used by the build process of the Ghostscript package.

Till Kamppeter (till-kamppeter)
Changed in libimage-exiftool-perl (Ubuntu):
importance: Undecided → High
Revision history for this message
Michael Terry (mterry) wrote :

It feels odd to me that libimage-exiftool-perl is shipping File/RandomAccess.pm files alongside the expected Image/ExifTool/ ones... But they don't seem to conflict with any other package. So that's OK I guess.

Packaging looks fine besides.

It also looks like it does its own parsing of image file formats, rather than using external libraries? That might need a security look then, just to make sure it's not doing anything stupid.

Changed in libimage-exiftool-perl (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed libimage-exiftool-perl version 10.00-1 as checked into Ubuntu
wily. This shouldn't be considered a full security audit and indeed I
reviewed less code than I'd like due to time constraints.

This codebase is incredibly complicated; it embeds knowledge about
hundreds, if not thousands, of image formats and metadata formats. It's
been well-designed to use little miniature methods defined as strings in
hashes which makes for a nice object-oriented design. However, this also
makes it nearly impossible to discover potential locations where untrusted
inputs may be executed as perl code because the eval feature is used
hundreds of times, both for error handling and these micromethods.

I believe I found a security issue while investigating and have mailed the
author for feedback; it's complicated enough that I'm not certain of my
finding.

The coding looks disciplined, the copious comments are helpful, and
there's a good selection of tests run during the build. The sketchiest
code appeared to be used for code generation and documentation generation;
code that handles file inputs checked arguments extensively.

Security team ACK for promoting libimage-exiftool-perl to main.

Thanks

Changed in libimage-exiftool-perl (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Martin Pitt (pitti) wrote :

Thanks for the review! Promoted now.

Changed in libimage-exiftool-perl (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.