RCE in GitLab when removing metadata using ExifTool

web
We discussed this vulnerability as part of our weekly podcast on 18 May 2021

The vulnerability itself is in ExifTool, in parsing DjVu archive metadata it will parse the token, do some validation on it to make sure its safe and call eval on it to parse the C-Style string escapes within the string. The problem is the validation trips up on handling an escaped newline, ignoring the newline character and thinking the next character is the escaped one. Leading to the case where a backslash followed by a newline then a quote will be treated as though the quote is escaped, allowing for an unescaped quote to be injected and and arbitrary perl to be added to the eval string.