Bug 876247 (CVE-2020-6624, CVE-2020-6625, CVE-2022-41751)

Summary:	<media-gfx/jhead-3.06.0.1: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa+]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2022-10-09 03:37:10 UTC

CVE-2020-6624 (https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858744):

jhead through 3.04 has a heap-based buffer over-read in process_DQT in jpgqguess.c.

CVE-2020-6625 (https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858746):

jhead through 3.04 has a heap-based buffer over-read in Get32s when called from ProcessGpsInfo in gpsinfo.c.

Both bugs untouched in launchpad. We should fix glsa-202007-17, too,
as it's referenced in the CVEs.

https://security.gentoo.org/glsa/202007-17

Comment 1 Andreas K. Hüttel archtester

2022-10-18 22:28:21 UTC

(In reply to John Helmert III from comment #0)
> CVE-2020-6624 (https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858744):
> 
> jhead through 3.04 has a heap-based buffer over-read in process_DQT in
> jpgqguess.c.

https://github.com/Matthias-Wandel/jhead/issues/20
maybe??

> 
> CVE-2020-6625 (https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858746):
> 
> jhead through 3.04 has a heap-based buffer over-read in Get32s when called
> from ProcessGpsInfo in gpsinfo.c.

https://github.com/Matthias-Wandel/jhead/issues/17
maybe?? if yes, then fixed in 3.06.0.1

> 
> Both bugs untouched in launchpad. We should fix glsa-202007-17, too,
> as it's referenced in the CVEs.
> 
> https://security.gentoo.org/glsa/202007-17

Comment 2 John Helmert III archtester

2022-10-19 02:30:04 UTC

CVE-2022-41751 (https://github.com/Matthias-Wandel/jhead/pull/57):

Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50 option.

This one's definitely patched: https://github.com/Matthias-Wandel/jhead/commit/ba1da7dce9e8f3269159b57b88ff9688624426d2

Comment 3 Larry the Git Cow gentoo-dev

2023-04-07 12:36:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fceaf2a9da27bc153a88c26a17ab13dd98e8d23

commit 9fceaf2a9da27bc153a88c26a17ab13dd98e8d23
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2023-04-07 12:36:28 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2023-04-07 12:36:28 +0000

    media-gfx/jhead: drop 3.04
    
    Bug: https://bugs.gentoo.org/876247
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 media-gfx/jhead/Manifest          |  1 -
 media-gfx/jhead/jhead-3.04.ebuild | 24 ------------------------
 2 files changed, 25 deletions(-)

Comment 4 John Helmert III archtester

2023-04-30 23:00:03 UTC

Let's trust Andreas and treat these as fixed in 3.06.0.1.

Comment 5 Larry the Git Cow gentoo-dev

2024-06-22 08:30:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=70a36362e8053f3760826b4ccce860e94299c700

commit 70a36362e8053f3760826b4ccce860e94299c700
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-06-22 08:28:39 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-06-22 08:29:13 +0000

    [ GLSA 202406-05 ] JHead: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/876247
    Bug: https://bugs.gentoo.org/879801
    Bug: https://bugs.gentoo.org/908519
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202406-05.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)