Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 876247 (CVE-2020-6624, CVE-2020-6625, CVE-2022-41751) - <media-gfx/jhead-3.06.0.1: multiple vulnerabilities
Summary: <media-gfx/jhead-3.06.0.1: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2020-6624, CVE-2020-6625, CVE-2022-41751
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-09 03:37 UTC by John Helmert III
Modified: 2023-05-06 20:35 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-09 03:37:10 UTC 
CVE-2020-6624 (https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858744):

jhead through 3.04 has a heap-based buffer over-read in process_DQT in jpgqguess.c.

CVE-2020-6625 (https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858746):

jhead through 3.04 has a heap-based buffer over-read in Get32s when called from ProcessGpsInfo in gpsinfo.c.

Both bugs untouched in launchpad. We should fix glsa-202007-17, too,
as it's referenced in the CVEs.

https://security.gentoo.org/glsa/202007-17
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2022-10-18 22:28:21 UTC 
(In reply to John Helmert III from comment #0)
> CVE-2020-6624 (https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858744):
> 
> jhead through 3.04 has a heap-based buffer over-read in process_DQT in
> jpgqguess.c.

https://github.com/Matthias-Wandel/jhead/issues/20
maybe??

> 
> CVE-2020-6625 (https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858746):
> 
> jhead through 3.04 has a heap-based buffer over-read in Get32s when called
> from ProcessGpsInfo in gpsinfo.c.

https://github.com/Matthias-Wandel/jhead/issues/17
maybe?? if yes, then fixed in 3.06.0.1

> 
> Both bugs untouched in launchpad. We should fix glsa-202007-17, too,
> as it's referenced in the CVEs.
> 
> https://security.gentoo.org/glsa/202007-17
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-19 02:30:04 UTC 
CVE-2022-41751 (https://github.com/Matthias-Wandel/jhead/pull/57):

Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50 option.

This one's definitely patched: https://github.com/Matthias-Wandel/jhead/commit/ba1da7dce9e8f3269159b57b88ff9688624426d2
Comment 3 Larry the Git Cow gentoo-dev 2023-04-07 12:36:48 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fceaf2a9da27bc153a88c26a17ab13dd98e8d23

commit 9fceaf2a9da27bc153a88c26a17ab13dd98e8d23
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2023-04-07 12:36:28 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2023-04-07 12:36:28 +0000

    media-gfx/jhead: drop 3.04
    
    Bug: https://bugs.gentoo.org/876247
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 media-gfx/jhead/Manifest          |  1 -
 media-gfx/jhead/jhead-3.04.ebuild | 24 ------------------------
 2 files changed, 25 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-30 23:00:03 UTC 
Let's trust Andreas and treat these as fixed in 3.06.0.1.