[MIR] libimage-exiftool-perl
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | libimage-exiftool-perl (Ubuntu) |
High
|
Unassigned | ||
Bug Description
[Availability]
libimage-
[Rationale]
libimage-
[Security]
No open or solved security issues or CVEs found.
This is a standard Perl library package consisting of only Perl code and documentation packaged in the standard way for Perl libraries. There is no SUID, SGID, /usr/sbin/*, daemons, does not listen on any port.
[Quality assurance]
Simple Perl library package, no direct user interaction, no UI or GUI, contains only the usual *.pm and *.pl files. API is documented by man pages.
No debconf questions asked during install.
Only one Ubuntu bug, no open Debian bugs.
Package is maintained, there are regular package uploads. Upstream version is the current one.
watch file is included.
[Dependencies]
Nothing special, only standard build tools which are in Main.
[Standards compliance]
Library package packaged following the standards for Perl libraries. no UI/GUI .
[Maintenance]
Regular uploads by the package maintainer. Current package upstream version is the actually current upstream version.
[Background information]
Package is for readin out meta data from image files. It is used by the build process of the Ghostscript package.
| Changed in libimage-exiftool-perl (Ubuntu): | |
| importance: | Undecided → High |
| Michael Terry (mterry) wrote : | #1 |
| Changed in libimage-exiftool-perl (Ubuntu): | |
| assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
| Seth Arnold (seth-arnold) wrote : | #2 |
I reviewed libimage-
wily. This shouldn't be considered a full security audit and indeed I
reviewed less code than I'd like due to time constraints.
This codebase is incredibly complicated; it embeds knowledge about
hundreds, if not thousands, of image formats and metadata formats. It's
been well-designed to use little miniature methods defined as strings in
hashes which makes for a nice object-oriented design. However, this also
makes it nearly impossible to discover potential locations where untrusted
inputs may be executed as perl code because the eval feature is used
hundreds of times, both for error handling and these micromethods.
I believe I found a security issue while investigating and have mailed the
author for feedback; it's complicated enough that I'm not certain of my
finding.
The coding looks disciplined, the copious comments are helpful, and
there's a good selection of tests run during the build. The sketchiest
code appeared to be used for code generation and documentation generation;
code that handles file inputs checked arguments extensively.
Security team ACK for promoting libimage-
Thanks
| Changed in libimage-exiftool-perl (Ubuntu): | |
| assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
| Martin Pitt (pitti) wrote : | #3 |
Thanks for the review! Promoted now.
| Changed in libimage-exiftool-perl (Ubuntu): | |
| status: | New → Fix Released |
It feels odd to me that libimage-
Packaging looks fine besides.
It also looks like it does its own parsing of image file formats, rather than using external libraries? That might need a security look then, just to make sure it's not doing anything stupid.