CVE-2022-23935 ExifTool mishandles a $file =~ /\|$/ check, leading to command injection.

A remote attacker could leverage this flaw to execute arbitrary code or obtain sensitive information via a crafted file.

Technical details: The ExifTool package contains a script (in /usr/lib/Image/ExifTool/Image.pm) that parses (via lib/Exif/Parser.pm) incoming XMP metadata. When parsing XMP data, the script ignores characters that start with a '#' symbol, thereby ignoring directives such as XMP. In the script ($file =~ /\|$/) a '|' symbol is treated as a '#' symbol, which causes the validation of the '|' symbol to be skipped. As a result, the script does not check the input for injection characters and the input is not sanitized. In other words, the script does not perform adequate validation of the input. This could be exploited by a remote attacker through a crafted file to execute arbitrary code on the target system. Reported by Dan Rosenberg of Cisco. For Debian and Ubuntu-based systems, this issue has been fixed in version 12.38-1 of the ExifTool package. More details about this vulnerability can be found in the ExifTool Security Advisory. -------------------------- For the rest of this advisory, we will focus on the Debian and Ubuntu-based distributions. TLP is not officially supported on Debian or Ubuntu. However, it is our understanding that TLP can be installed on these operating systems. We have done our best to ensure

Summary

The ExifTool package contains a script (in /usr/lib/Image/ExifTool/Image.pm) that parses incoming XMP metadata. When parsing XMP data, the script ignores characters that start with a '#' symbol, thereby ignoring directives such as XMP. In the script ($file =~ /\|$/) a '|' symbol is treated as a '#' symbol, which causes the validation of the '|' symbol to be skipped. As a result, the script does not check the input for injection characters and the input is not sanitized. This could be exploited by a remote attacker through a crafted file to execute arbitrary code on the target system.
For Debian and Ubuntu-based systems, this issue has been fixed in version 12.38-1 of the ExifTool package. --------------------------

Debian and Ubuntu-based distributions

CVE-2022-23935 affects the ExifTool package which is in the Debian and Ubuntu-based distributions. It affects all operating systems that use this package.

The main reason why digital marketing is important is because you can target your audience better than traditional methods. By investing in digital marketing, you'll help your business grow. You can also target specific groups of people with these ads.

Recommended Actions

We recommend that you install the latest version of ExifTool on your system and change the default configuration for TLP to be disabled in the config file.

Dependency updates and CVE-2022-23935

The following packages are updated and will be installed automatically:    Package Reason aptitude update The package list has been updated. aptitude install libtiff4 A dependency of ExifTool was updated. aptitude install libtasn1-6 A dependency of ExifTool was updated.
CVE-2022-23935
A remote attacker could leverage this flaw to execute arbitrary code or obtain sensitive information via a crafted file.  Technical details: The ExifTool package contains a script (in /usr/lib/Image/ExifTool/Image.pm) that parses (via lib/Exif/Parser.pm) incoming XMP metadata. When parsing XMP data, the script ignores characters that start with a '#' symbol, thereby ignoring directives such as XMP. In the script ($file =~ /\|$/) a '|' symbol is treated as a '#' symbol, which causes the validation of the '|' symbol to be skipped. As a result, the script does not check the input for injection characters and the input is not sanitized. In other words, the script does not perform adequate validation of the input. This could be exploited by a remote attacker through a crafted file to execute arbitrary code on the target system. Reported by Dan Rosenberg of Cisco Systems Incorporated. For Debian and Ubuntu-based systems, this issue has been fixed in version 12.38

Debian and Ubuntu-based distributions: Stay away!

TLP is not officially supported on Debian or Ubuntu. However, it is our understanding that TLP can be installed on these operating systems. We have done our best to ensure that the installation process for TLP does not bring any unwanted surprises. That being said, we strongly suggest you stay away from installing TLP on these operating systems.

Timeline

Published on: 01/25/2022 06:15:00 UTC
Last modified on: 05/19/2022 21:20:00 UTC

References

• https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582
• https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23935