Joined: 12 May 2004
|Posted: Sun Jan 11, 2009 2:26 am Post subject: [ GLSA 200901-02 ] JHead: Multiple vulnerabilities
|Gentoo Linux Security Advisory
Title: JHead: Multiple vulnerabilities (GLSA 200901-02)
Date: January 11, 2009
Bug(s): #242702, #243238
Multiple vulnerabilities in JHead might lead to the execution of arbitrary code or data loss.
JHead is an exif jpeg header manipulation tool.
Vulnerable: < 2.84-r1
Unaffected: >= 2.84-r1
Architectures: All supported architectures
Marc Merlin and John Dong reported multiple vulnerabilities in JHead:
- A buffer overflow in the DoCommand() function when processing the cmd argument and related to potential string overflows (CVE-2008-4575).
- An insecure creation of a temporary file (CVE-2008-4639).
- A error when unlinking a file (CVE-2008-4640).
- Insufficient escaping of shell metacharacters (CVE-2008-4641).
A remote attacker could possibly execute arbitrary code by enticing a user or automated system to open a file with a long filename or via unspecified vectors. It is also possible to trick a user into deleting or overwriting files.
There is no known workaround at this time.
All JHead users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/jhead-2.84-r1"