Bug#1135381: libimage-exiftool-perl: CVE-2026-7580
gregor herrmann
gregoa at debian.org
Tue May 5 13:43:36 BST 2026
Control: found -1 13.00+dfsg-1
On Fri, 01 May 2026 23:01:29 +0200, Salvatore Bonaccorso wrote:
>CVE-2026-7580[0]:
>| A vulnerability was detected in Exiftool up to 13.53. Impacted is
>| the function Process_mrld of the file lib/Image/ExifTool/GM.pm of
>| the component JPEG/QuickTime/MOV/MP4. The manipulation of the
>| argument -ee results in code injection. Attacking locally is a
>| requirement. Upgrading to version 13.54 is recommended to address
>| this issue. The patch is identified as
>| 5a8b6b6ead12b39e3f32f978a4efd0233facbb01. It is suggested to upgrade
>| the affected component. The fix in the source code mentions: "[J]ust
>| to be safe, probably never happen".
The code (actually the whole file) seems to have been introduced
upstream in 12.82. The first upload to Debian after this release was
13.00+dfsg-1; setting the found version.
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20260505/9c978588/attachment.sig>
More information about the pkg-perl-maintainers
mailing list