Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 242702
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Stefan Behte <craig@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 242702 depends on: Show dependency tree
Bug 242702 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-10-19 03:13 0000 
CVE-2008-4575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4575):
  Buffer overflow in the DoCommand function in jhead before 2.84 might
  allow context-dependent attackers to cause a denial of service
  (crash) via (1) a long -cmd argument and (2) possibly other
  unspecified vectors.

------- Comment #1 From Stefan Behte 2008-10-19 03:17:51 0000 ------- 
Please test and mark stable / mask the old versions.

FYI: As I know you can't see it from my mail address: I'm a security padawan
http://www.gentoo.org/security/en/padawans.xml.

------- Comment #2 From Markus Meier 2008-10-19 14:33:49 0000 ------- 
amd64/x86 stable

------- Comment #3 From Guy Martin 2008-10-19 17:11:52 0000 ------- 
hppa stable

------- Comment #4 From Robert Buchholz 2008-10-19 20:30:54 0000 ------- 
adding graphics herd as maintainers

------- Comment #5 From Jose Luis Rivero (yoswink) 2008-10-20 08:15:14 0000 ------- 
alpha stable

------- Comment #6 From Ferris McCormick 2008-10-20 12:53:41 0000 ------- 
Sparc stable.

------- Comment #7 From Robert Buchholz 2008-10-21 14:50:16 0000 ------- 
please note that there are more unresolved issues in 2.84, as pointed out in
$URL and https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/271020

------- Comment #8 From Markus Rothe 2008-10-21 17:25:34 0000 ------- 
ppc64 stable

------- Comment #9 From Stefan Behte 2008-10-22 16:12:08 0000 ------- 
This also applies:

Name:      CVE-2008-4639
URL:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4639
Published: 2008-10-21

jhead.c in Matthias Wandel jhead before 2.84 allows local users to
overwrite arbitrary files via a symlink attack on a temporary file.

Product (guessed): Matthias Wandel jhead

------- Comment #10 From Christian Hoffmann 2008-10-22 16:44:01 0000 ------- 
*** Bug 243238 has been marked as a duplicate of this bug. ***

------- Comment #11 From Raúl Porcel 2008-10-22 19:14:50 0000 ------- 
ia64 stable

------- Comment #12 From Tobias Scherbaum 2008-10-23 18:23:12 0000 ------- 
ppc stable

------- Comment #13 From Tobias Heinlein 2008-10-23 21:14:34 0000 ------- 
Ready for vote, I vote YES.

------- Comment #14 From Robert Buchholz 2008-11-26 18:45:55 0000 ------- 
YES, filed

------- Comment #15 From Robert Buchholz 2009-01-11 00:48:38 0000 ------- 
GLSA 200901-02
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug