Bug 243238 (CVE-2008-4640)

Summary:	media-gfx/jhead <2.84-r1 Multiple vulnerabilities (CVE-2008-{4640,4641})
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	graphics+disabled, vanquirius
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description Stefan Behte (RETIRED) gentoo-dev

2008-10-22 16:18:36 UTC

CVE-2008-4640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4640):
  The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and
  earlier allows local users to delete arbitrary files via vectors
  involving a modified input filename in which (1) a final "z"
  character is replaced by a "t" character or (2) a final "t" character
  is replaced by a "z" character.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2008-10-22 16:19:37 UTC

CVE-2008-4641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4641):
  The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and
  earlier allows attackers to execute arbitrary commands via shell
  metacharacters in unspecified input.

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2008-10-22 16:29:32 UTC

CVE-2008-4641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4641):
  The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and
  earlier allows attackers to execute arbitrary commands via shell
  metacharacters in unspecified input.

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2008-10-22 16:31:39 UTC

Whoops, sorry about the dupe...

Comment 4 Christian Hoffmann (RETIRED) gentoo-dev

2008-10-22 16:44:01 UTC


*** This bug has been marked as a duplicate of bug 242702 ***

Comment 5 Christian Hoffmann (RETIRED) gentoo-dev

2008-10-22 16:46:42 UTC

I fail. This bug is not a dupe of course.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-11-26 21:19:13 UTC

Debian ships a 2.85 release, but I cannot find that upstream:
http://ftp.de.debian.org/debian/pool/main/j/jhead/jhead_2.85.orig.tar.gz

Upstream claims this fixes both issues in this bug. I mailed upstream for clarification of the release.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2008-11-26 22:20:02 UTC

discussion with upstream yielded that Debian took one of the snapshots available on the jhead website and called that "2.85". Upstream does not plan a release any sooner than "early next year".

I think we should fix this bug before that, either by extracting the relevant patch from the latest snapshot, or by bumping to that snapshot. Comments?

Comment 8 Markus Meier gentoo-dev

2008-11-28 18:28:17 UTC

+*jhead-2.84-r1 (28 Nov 2008)
+
+  28 Nov 2008; Markus Meier <maekke@gentoo.org>
+  +files/jhead-2.84-bug243238.patch, +jhead-2.84-r1.ebuild:
+  bump for security bug #243238

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2008-11-28 18:43:01 UTC

Arches, please test and mark stable:
=media-gfx/jhead-2.84-r1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev

2008-11-28 22:03:11 UTC

ppc stable

Comment 11 Jeroen Roovers (RETIRED) gentoo-dev

2008-11-29 16:49:46 UTC

Stable for HPPA.

Comment 12 Raúl Porcel (RETIRED) gentoo-dev

2008-11-29 16:56:32 UTC

alpha/ia64/sparc/x86 stable

Comment 13 Stefan Behte (RETIRED) gentoo-dev

2008-11-30 16:32:53 UTC

amd64, ppc64: *ping*

Comment 14 Markus Meier gentoo-dev

2008-11-30 17:15:48 UTC

amd64 stable

Comment 15 Brent Baude (RETIRED) gentoo-dev

2008-12-01 15:52:12 UTC

ppc64 done

Comment 16 Tobias Heinlein (RETIRED) gentoo-dev

2008-12-07 11:05:30 UTC

GLSA together with bug 242702.

Comment 17 Robert Buchholz (RETIRED) gentoo-dev

2009-01-11 00:48:25 UTC

GLSA 200901-02