GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sun Jan 11, 2009 2:26 am Post subject: [ GLSA 200901-02 ] JHead: Multiple vulnerabilities |
|
|
Gentoo Linux Security Advisory
Title: JHead: Multiple vulnerabilities (GLSA 200901-02)
Severity: normal
Exploitable: remote
Date: January 11, 2009
Bug(s): #242702, #243238
ID: 200901-02
Synopsis
Multiple vulnerabilities in JHead might lead to the execution of arbitrary code or data loss.
Background
JHead is an exif jpeg header manipulation tool.
Affected Packages
Package: media-gfx/jhead
Vulnerable: < 2.84-r1
Unaffected: >= 2.84-r1
Architectures: All supported architectures
Description
Marc Merlin and John Dong reported multiple vulnerabilities in JHead: - A buffer overflow in the DoCommand() function when processing the cmd argument and related to potential string overflows (CVE-2008-4575).
- An insecure creation of a temporary file (CVE-2008-4639).
- A error when unlinking a file (CVE-2008-4640).
- Insufficient escaping of shell metacharacters (CVE-2008-4641).
Impact
A remote attacker could possibly execute arbitrary code by enticing a user or automated system to open a file with a long filename or via unspecified vectors. It is also possible to trick a user into deleting or overwriting files.
Workaround
There is no known workaround at this time.
Resolution
All JHead users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/jhead-2.84-r1" |
References
CVE-2008-4575
CVE-2008-4639
CVE-2008-4640
CVE-2008-4641 |
|