Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-2120

NIXPKGS-2026-2120
published 2 hours ago
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed
updated 2 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    10 packages
    • imager
    • usbimager
    • vcdimager
    • rpi-imager
    • gImageReader
    • gimagereader
    • gImageReader-qt
    • gimagereader-qt
    • perlPackages.ImagerQRCode
    • perl5Packages.ImagerQRCode
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed

Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process. An attacker could craft an image with EXIF data that terminates a worker process.

Affected products

Imager
  • <1.033

Matching in nixpkgs

Ignored packages (10)

pkgs.usbimager

Very minimal GUI app that can write compressed disk images to USB drives

pkgs.vcdimager

Full-featured mastering suite for authoring, disassembling and analyzing Video CDs and Super Video CDs