diff -Nru libimage-exiftool-perl-11.88/debian/changelog libimage-exiftool-perl-11.88/debian/changelog
--- libimage-exiftool-perl-11.88/debian/changelog	2020-02-22 10:16:04.000000000 +0000
+++ libimage-exiftool-perl-11.88/debian/changelog	2021-06-09 18:39:41.000000000 +0000
@@ -1,3 +1,16 @@
+libimage-exiftool-perl (11.88-1ubuntu0.1) focal-security; urgency=medium
+
+  * SECURITY UPDATE: Arbitrary code execution
+    - debian/patches/CVE-2021-22204.patch: Improper neutralization of user
+      data in the DjVu file format in ExifTool versions 7.44 and up allows
+      arbitrary code execution when parsing the malicious image. (LP: #1925985)
+      Thanks to William Bowling for the bug report on Launchpad.
+      Thanks to Gregor Herrmann for backporting the patch.
+      From debian release 12.16+dfsg-2.
+    - CVE-2021-22204
+
+ -- hugo buddelmeijer <hugo@buddelmeijer.nl>  Wed, 09 Jun 2021 20:39:41 +0200
+
 libimage-exiftool-perl (11.88-1) unstable; urgency=medium
 
   * Import upstream version 11.88.
diff -Nru libimage-exiftool-perl-11.88/debian/control libimage-exiftool-perl-11.88/debian/control
--- libimage-exiftool-perl-11.88/debian/control	2020-02-22 10:16:04.000000000 +0000
+++ libimage-exiftool-perl-11.88/debian/control	2021-06-09 18:39:41.000000000 +0000
@@ -1,5 +1,6 @@
 Source: libimage-exiftool-perl
-Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
 Uploaders: Mari Wang <mariwan@ifi.uio.no>,
            gregor herrmann <gregoa@debian.org>
 Section: perl
diff -Nru libimage-exiftool-perl-11.88/debian/patches/CVE-2021-22204.patch libimage-exiftool-perl-11.88/debian/patches/CVE-2021-22204.patch
--- libimage-exiftool-perl-11.88/debian/patches/CVE-2021-22204.patch	1970-01-01 00:00:00.000000000 +0000
+++ libimage-exiftool-perl-11.88/debian/patches/CVE-2021-22204.patch	2021-06-09 18:39:41.000000000 +0000
@@ -0,0 +1,30 @@
+Description: Fix 'eval injection".
+ CVE-2021-22204: Improper neutralization of user data in the DjVu file
+ format in ExifTool versions 7.44 and up allows arbitrary code execution
+ when parsing the malicious image
+Origin: upstream release 12.24
+Bug-Debian: https://bugs.debian.org/987505
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1925985
+Author: Phil Harvey <philharvey66@gmail.com>
+Reviewed-by: gregor herrmann <gregoa@debian.org>
+Last-Update: 2021-04-24
+Applied-Upstream: https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
+
+--- a/lib/Image/ExifTool/DjVu.pm
++++ b/lib/Image/ExifTool/DjVu.pm
+@@ -227,10 +227,11 @@
+                 last unless $tok =~ /(\\+)$/ and length($1) & 0x01;
+                 $tok .= '"';    # quote is part of the string
+             }
+-            # must protect unescaped "$" and "@" symbols, and "\" at end of string
+-            $tok =~ s{\\(.)|([\$\@]|\\$)}{'\\'.($2 || $1)}sge;
+-            # convert C escape sequences (allowed in quoted text)
+-            $tok = eval qq{"$tok"};
++            # convert C escape sequences, allowed in quoted text
++            # (note: this only converts a few of them!)
++            my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n",
++                        r => "\r", t => "\t", '"' => '"', '\\' => '\\' );
++            $tok =~ s/\\(.)/$esc{$1}||'\\'.$1/egs;
+         } else {                # key name
+             pos($$dataPt) = pos($$dataPt) - 1;
+             # allow anything in key but whitespace, braces and double quotes
diff -Nru libimage-exiftool-perl-11.88/debian/patches/series libimage-exiftool-perl-11.88/debian/patches/series
--- libimage-exiftool-perl-11.88/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libimage-exiftool-perl-11.88/debian/patches/series	2021-06-09 18:39:41.000000000 +0000
@@ -0,0 +1 @@
+CVE-2021-22204.patch