TechEcho

This was fixed in version 12.24 (back in 2021) according to the version history page[0], but the current version still uses "eval" in several places[1]. This seems like an unnecessarily dangerous approach – wouldn't it have been a good idea to fix all the instances in the codebase after the bug was discovered?<p>[0] <a href="https://exiftool.org/ancient_history.html#v12.24" rel="nofollow">https://exiftool.org/ancient_history.html#v12.24</a><p>[1] <a href="https://github.com/search?q=repo%3Aexiftool%2Fexiftool+%2Feval%5B+%28%5D%2F+NOT+%2Feval.*require%2F&type=code">https://github.com/search?q=repo%3Aexiftool%2Fexiftool+%2Fev...</a>

Perl and eval, not what I'd have expected from the title!

Exiftool is one of those open source tools which provides a lot of features just for free. It’s really amazing that people can work on something like this for so long.

I prefer Exiv2 over ExifTool. I can compile it statically. Does not require a Perl installation.

The "Investigation" box at Hack The Box includes this vulnerability.

So how do I know if there is bug bounty available for vulnerabilities in exiftool? Or ghostscript? Or ffmpeg, openssl, gnutls, sox, or any number of other packages I may be using?

Perl and eval, not what I'd have expected from the title!

Exiftool is one of those open source tools which provides a lot of features just for free. It’s really amazing that people can work on something like this for so long.

I prefer Exiv2 over ExifTool. I can compile it statically. Does not require a Perl installation.

The "Investigation" box at Hack The Box includes this vulnerability.

So how do I know if there is bug bounty available for vulnerabilities in exiftool? Or ghostscript? Or ffmpeg, openssl, gnutls, sox, or any number of other packages I may be using?

ExifTool CVE-2021-22204 – Arbitrary Code Execution (2021)

7 comments

ExifTool CVE-2021-22204 – Arbitrary Code Execution (2021)

7 comments