From 91b038eb7e9d25f5f23843e68b2755386ce98516 Mon Sep 17 00:00:00 2001 From: brian d foy Date: Fri, 23 Aug 2024 12:00:40 -0400 Subject: [PATCH] Data update for 2024-08-24 (briandfoy/cpan-security-advisory#160) --- Changes | 3 +++ cpan-security-advisory | 2 +- lib/CPAN/Audit.pm | 2 +- lib/CPAN/Audit/DB.pm | 57 +++++++++++++++++++++++++++++++++++++--- lib/CPAN/Audit/DB.pm.gpg | 26 +++++++++--------- 5 files changed, 72 insertions(+), 18 deletions(-) diff --git a/Changes b/Changes index d94f87a..00c6511 100644 --- a/Changes +++ b/Changes @@ -1,5 +1,8 @@ Revision history for Perl extension CPAN-Audit +20240822.001 2024-08-22T06:32:12Z + * Data update for 2024-08-22 + 20240718.001 2024-07-18T17:32:37Z * data update, and fix for briandfoy/cpan-security-advisory#157 diff --git a/cpan-security-advisory b/cpan-security-advisory index cf7c1af..7269468 160000 --- a/cpan-security-advisory +++ b/cpan-security-advisory @@ -1 +1 @@ -Subproject commit cf7c1af0eac1915d64b4d4aded75ea7e2ab9525c +Subproject commit 7269468a4aeb9736a5aa0b183d428b243e682572 diff --git a/lib/CPAN/Audit.pm b/lib/CPAN/Audit.pm index 5aef318..0e65ab8 100644 --- a/lib/CPAN/Audit.pm +++ b/lib/CPAN/Audit.pm @@ -14,7 +14,7 @@ use CPAN::Audit::Version; use CPAN::Audit::Query; use CPAN::Audit::DB; -our $VERSION = '20240822.001'; +our $VERSION = '20240824.001'; sub new { my( $class, %params ) = @_; diff --git a/lib/CPAN/Audit/DB.pm b/lib/CPAN/Audit/DB.pm index e2b4116..8662405 100644 --- a/lib/CPAN/Audit/DB.pm +++ b/lib/CPAN/Audit/DB.pm @@ -1,12 +1,12 @@ -# created by util/generate at Thu Aug 22 02:08:50 2024 -# cpan-security-advisory +cf7c1af0eac1915d64b4d4aded75ea7e2ab9525c +# created by util/generate at Fri Aug 23 11:58:01 2024 +# cpan-security-advisory +7269468a4aeb9736a5aa0b183d428b243e682572 # package CPAN::Audit::DB; use strict; use warnings; -our $VERSION = '20240822.001'; +our $VERSION = '20240823.001'; sub db { { @@ -19423,6 +19423,10 @@ sub db { { 'date' => '2024-08-20T11:29:56', 'version' => '1.643_01' + }, + { + 'date' => '2024-08-22T07:09:52', + 'version' => '1.643_02' } ] }, @@ -35445,6 +35449,53 @@ weakness. ], 'reported' => '2022-01-25', 'severity' => 'critical' + }, + { + 'affected_versions' => '>=7.44,<=12.23', + 'cves' => [ + 'CVE-2021-22204' + ], + 'description' => 'Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image +', + 'distribution' => 'Image-ExifTool', + 'fixed_versions' => '>12.23', + 'id' => 'CPANSA-Image-ExifTool-2021-22204', + 'references' => [ + 'https://rt.cpan.org/Public/Bug/Display.html?id=>=7.44,<=12.23', + 'http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html', + 'http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html', + 'http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html', + 'http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html', + 'http://www.openwall.com/lists/oss-security/2021/05/09/1', + 'http://www.openwall.com/lists/oss-security/2021/05/10/5', + 'https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800', + 'https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json', + 'https://hackerone.com/reports/1154542', + 'https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html', + 'https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/', + 'https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/', + 'https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/', + 'https://www.debian.org/security/2021/dsa-4910' + ], + 'reported' => '2021-04-23', + 'severity' => undef + }, + { + 'affected_versions' => '=8.32', + 'cves' => [ + 'CVE-2018-20211' + ], + 'description' => 'ExifTool 8.32 allows local users to gain privileges by creating a %TEMP%\\\\par-%username%\\\\cache-exiftool-8.32 folder with a victim\'s username, and then copying a Trojan horse ws32_32.dll file into this new folder, aka DLL Hijacking. NOTE: 8.32 is an obsolete version from 2010 (9.x was released starting in 2012, and 10.x was released starting in 2015). +', + 'distribution' => 'Image-ExifTool', + 'fixed_versions' => '>8', + 'id' => 'CPANSA-Image-ExifTool-2018-20211', + 'references' => [ + 'http://packetstormsecurity.com/files/150892/Exiftool-8.3.2.0-DLL-Hijacking.html', + 'http://seclists.org/fulldisclosure/2018/Dec/44' + ], + 'reported' => '2019-01-02', + 'severity' => undef } ], 'main_module' => 'Image::ExifTool', diff --git a/lib/CPAN/Audit/DB.pm.gpg b/lib/CPAN/Audit/DB.pm.gpg index 55a77e1..1f64a22 100644 --- a/lib/CPAN/Audit/DB.pm.gpg +++ b/lib/CPAN/Audit/DB.pm.gpg @@ -1,16 +1,16 @@ -----BEGIN PGP SIGNATURE----- -iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmbG1fMACgkQ+D+NXoeL -YEGDoA//RQUD9JP7CZBVvYuqXleUMvK/1tYIllAyzQDSBcwHjNnQ7s6WcDCXDSWY -LKjODCV8iZkMHvFkxxJiFwWp4lswrZP9+hq57dIdjCSfS70mWpc8cLEImfJrALqq -MGkpu/Kbc2dsPQLnvcJIFOtcceB6+4sEUlGAT9VOJOz6l9Cl8PHCNai2/G0C4vGd -dLVxhNOc94KLtQuAdJb6ib8q9GzL+gBCiidqWsHWt4KWLHkzr6nfUFJKAN1vRIKP -laPpldVDzwsH1xwbZrgXZF1mgsh1x3nZN4tl7mVn0c7h6fDty7L5OZS06pgzpwIv -Znq0iD2JkBE4YhZuuZShIGm71SsX4eRA4F4V9Rr1WmkLcxtbnq8KhFHDiDzPyVk4 -sWlJnukVsxhdEnn0ldJjKeFskEQ5JyHKYFmZ47TY5bBrS/hpq+9eR36s2XpvWrhG -BowO5hky/Ya1pHIof1UujtIVIlipicSUCevBSbF4PyVTcX1eTOGx9uZgDgUYIcmd -v9L6VB/3/zHLzfJ8PoVbbWR1NfFdoCpMyGqM4Z4d/muhq2RAiymqMh45Hi+Jcwp0 -T8kovZGL+KOn44P+Y07JuOscX/UbAbWo3lux0BCg4E1lh7tkH6i+i4fGevMmDWYs -wWc3BX0gJfSn4lZJ/YYuBhRq7RikdTAJxYL6U9gLwuv0YWi7iCg= -=wjXH +iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmbIsYkACgkQ+D+NXoeL +YEFd+w/+OghdjVg8VlEc3JHCmCLvxImHXVuSy43J+7xVuUzXEYpDJTc/THQ2mlFp ++a8v9KtJZOBP9W7XP8HXA5reZOW/G+oatjiOgzgoozOxok8IjYPZTCtjo1q7MSTh +4AkkmPF72mSXkKqyTBQHePp1U4TlzL2deTppJQQkyv3o969TgHgok0N/PPrSch9q +jlBDFIu9veo8DMBJ1kfqnEj6swSSKqad/HSmXNh/KLN+cF9Nvh2EdXv5AYRbU5uI +DQA4vzSJD585TNEnLxISGFiHLIyJdl+zJM3iD2bg40F+CwVVK7lLsONnDx7ZNVRO +Ue+exOdJweWHtDNJiKs98WX0/gBd0D1Xj39VN68fFE9y0L1ILAhIAbVbG3SJ6sD0 +GJP9f6b+rJj+C6padV0+7HA0e0TptLA+7y+qiD21few+pW7XK/8hm5bVFH1aWyRU +CKc5YdmKy+0rPGQtnP9YMnpIyyOESxUsNS5d4059ShsBiD2dBOCdwBUsKozXxe+E +DO1BX3M+kPzVVcsrfN7iQAw4tqfEaXaCbpaVPCTRdTQQBIzLIFnyneuCa7IzG81Z +XxfskSSNbQi5PNstkij2+3z+Ev+5QKkGDMGv4uPXT+KWshrIEwpsiMc3QjpQqw49 +IWRcSMauTmQOchIGYHgCA1HtpVcmiAQcqXwFeyb96iyBwU773pA= +=/ka7 -----END PGP SIGNATURE-----