Data update for 2024-08-24 (briandfoy/cpan-security-advisory#160)

briandfoy · Aug 23, 2024 · 91b038e · 91b038e
1 parent efde270
commit 91b038e
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 18 deletions.
diff --git a/Changes b/Changes
@@ -1,5 +1,8 @@
 Revision history for Perl extension CPAN-Audit
 
+20240822.001 2024-08-22T06:32:12Z
+	* Data update for 2024-08-22
+
 20240718.001 2024-07-18T17:32:37Z
 	* data update, and fix for briandfoy/cpan-security-advisory#157
 

diff --git a/cpan-security-advisory b/cpan-security-advisory
diff --git a/lib/CPAN/Audit.pm b/lib/CPAN/Audit.pm
@@ -14,7 +14,7 @@ use CPAN::Audit::Version;
 use CPAN::Audit::Query;
 use CPAN::Audit::DB;
 
-our $VERSION = '20240822.001';
+our $VERSION = '20240824.001';
 
 sub new {
 	my( $class, %params ) = @_;

diff --git a/lib/CPAN/Audit/DB.pm b/lib/CPAN/Audit/DB.pm
@@ -1,12 +1,12 @@
-# created by util/generate at Thu Aug 22 02:08:50 2024
-# cpan-security-advisory +cf7c1af0eac1915d64b4d4aded75ea7e2ab9525c
+# created by util/generate at Fri Aug 23 11:58:01 2024
+# cpan-security-advisory +7269468a4aeb9736a5aa0b183d428b243e682572
 #
 package CPAN::Audit::DB;
 
 use strict;
 use warnings;
 
-our $VERSION = '20240822.001';
+our $VERSION = '20240823.001';
 
 sub db {
 	{
@@ -19423,6 +19423,10 @@ sub db {
                                                   {
                                                     'date' => '2024-08-20T11:29:56',
                                                     'version' => '1.643_01'
+                                                  },
+                                                  {
+                                                    'date' => '2024-08-22T07:09:52',
+                                                    'version' => '1.643_02'
                                                   }
                                                 ]
                                 },
@@ -35445,6 +35449,53 @@ weakness.
                                                                                  ],
                                                                  'reported' => '2022-01-25',
                                                                  'severity' => 'critical'
+                                                               },
+                                                               {
+                                                                 'affected_versions' => '>=7.44,<=12.23',
+                                                                 'cves' => [
+                                                                             'CVE-2021-22204'
+                                                                           ],
+                                                                 'description' => 'Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
+',
+                                                                 'distribution' => 'Image-ExifTool',
+                                                                 'fixed_versions' => '>12.23',
+                                                                 'id' => 'CPANSA-Image-ExifTool-2021-22204',
+                                                                 'references' => [
+                                                                                   'https://rt.cpan.org/Public/Bug/Display.html?id=>=7.44,<=12.23',
+                                                                                   'http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html',
+                                                                                   'http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html',
+                                                                                   'http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html',
+                                                                                   'http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html',
+                                                                                   'http://www.openwall.com/lists/oss-security/2021/05/09/1',
+                                                                                   'http://www.openwall.com/lists/oss-security/2021/05/10/5',
+                                                                                   'https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800',
+                                                                                   'https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json',
+                                                                                   'https://hackerone.com/reports/1154542',
+                                                                                   'https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html',
+                                                                                   'https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/',
+                                                                                   'https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/',
+                                                                                   'https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/',
+                                                                                   'https://www.debian.org/security/2021/dsa-4910'
+                                                                                 ],
+                                                                 'reported' => '2021-04-23',
+                                                                 'severity' => undef
+                                                               },
+                                                               {
+                                                                 'affected_versions' => '=8.32',
+                                                                 'cves' => [
+                                                                             'CVE-2018-20211'
+                                                                           ],
+                                                                 'description' => 'ExifTool 8.32 allows local users to gain privileges by creating a %TEMP%\\\\par-%username%\\\\cache-exiftool-8.32 folder with a victim\'s username, and then copying a Trojan horse ws32_32.dll file into this new folder, aka DLL Hijacking. NOTE: 8.32 is an obsolete version from 2010 (9.x was released starting in 2012, and 10.x was released starting in 2015).
+',
+                                                                 'distribution' => 'Image-ExifTool',
+                                                                 'fixed_versions' => '>8',
+                                                                 'id' => 'CPANSA-Image-ExifTool-2018-20211',
+                                                                 'references' => [
+                                                                                   'http://packetstormsecurity.com/files/150892/Exiftool-8.3.2.0-DLL-Hijacking.html',
+                                                                                   'http://seclists.org/fulldisclosure/2018/Dec/44'
+                                                                                 ],
+                                                                 'reported' => '2019-01-02',
+                                                                 'severity' => undef
                                                                }
                                                              ],
                                              'main_module' => 'Image::ExifTool',

diff --git a/lib/CPAN/Audit/DB.pm.gpg b/lib/CPAN/Audit/DB.pm.gpg
@@ -1,16 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmbG1fMACgkQ+D+NXoeL
-YEGDoA//RQUD9JP7CZBVvYuqXleUMvK/1tYIllAyzQDSBcwHjNnQ7s6WcDCXDSWY
-LKjODCV8iZkMHvFkxxJiFwWp4lswrZP9+hq57dIdjCSfS70mWpc8cLEImfJrALqq
-MGkpu/Kbc2dsPQLnvcJIFOtcceB6+4sEUlGAT9VOJOz6l9Cl8PHCNai2/G0C4vGd
-dLVxhNOc94KLtQuAdJb6ib8q9GzL+gBCiidqWsHWt4KWLHkzr6nfUFJKAN1vRIKP
-laPpldVDzwsH1xwbZrgXZF1mgsh1x3nZN4tl7mVn0c7h6fDty7L5OZS06pgzpwIv
-Znq0iD2JkBE4YhZuuZShIGm71SsX4eRA4F4V9Rr1WmkLcxtbnq8KhFHDiDzPyVk4
-sWlJnukVsxhdEnn0ldJjKeFskEQ5JyHKYFmZ47TY5bBrS/hpq+9eR36s2XpvWrhG
-BowO5hky/Ya1pHIof1UujtIVIlipicSUCevBSbF4PyVTcX1eTOGx9uZgDgUYIcmd
-v9L6VB/3/zHLzfJ8PoVbbWR1NfFdoCpMyGqM4Z4d/muhq2RAiymqMh45Hi+Jcwp0
-T8kovZGL+KOn44P+Y07JuOscX/UbAbWo3lux0BCg4E1lh7tkH6i+i4fGevMmDWYs
-wWc3BX0gJfSn4lZJ/YYuBhRq7RikdTAJxYL6U9gLwuv0YWi7iCg=
-=wjXH
+iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmbIsYkACgkQ+D+NXoeL
+YEFd+w/+OghdjVg8VlEc3JHCmCLvxImHXVuSy43J+7xVuUzXEYpDJTc/THQ2mlFp
++a8v9KtJZOBP9W7XP8HXA5reZOW/G+oatjiOgzgoozOxok8IjYPZTCtjo1q7MSTh
+4AkkmPF72mSXkKqyTBQHePp1U4TlzL2deTppJQQkyv3o969TgHgok0N/PPrSch9q
+jlBDFIu9veo8DMBJ1kfqnEj6swSSKqad/HSmXNh/KLN+cF9Nvh2EdXv5AYRbU5uI
+DQA4vzSJD585TNEnLxISGFiHLIyJdl+zJM3iD2bg40F+CwVVK7lLsONnDx7ZNVRO
+Ue+exOdJweWHtDNJiKs98WX0/gBd0D1Xj39VN68fFE9y0L1ILAhIAbVbG3SJ6sD0
+GJP9f6b+rJj+C6padV0+7HA0e0TptLA+7y+qiD21few+pW7XK/8hm5bVFH1aWyRU
+CKc5YdmKy+0rPGQtnP9YMnpIyyOESxUsNS5d4059ShsBiD2dBOCdwBUsKozXxe+E
+DO1BX3M+kPzVVcsrfN7iQAw4tqfEaXaCbpaVPCTRdTQQBIzLIFnyneuCa7IzG81Z
+XxfskSSNbQi5PNstkij2+3z+Ev+5QKkGDMGv4uPXT+KWshrIEwpsiMc3QjpQqw49
+IWRcSMauTmQOchIGYHgCA1HtpVcmiAQcqXwFeyb96iyBwU773pA=
+=/ka7
 -----END PGP SIGNATURE-----