Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 242702 (CVE-2008-4575) - media-gfx/jhead <2.84 Buffer overflow in DoCommand (CVE-2008-{4575,4639)
Summary: media-gfx/jhead <2.84 Buffer overflow in DoCommand (CVE-2008-{4575,4639)
Status: RESOLVED FIXED
Alias: CVE-2008-4575
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://thread.gmane.org/gmane.comp.se...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-19 03:13 UTC by Stefan Behte (RETIRED)
Modified: 2009-01-11 00:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-19 03:13:58 UTC
CVE-2008-4575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4575):
  Buffer overflow in the DoCommand function in jhead before 2.84 might
  allow context-dependent attackers to cause a denial of service
  (crash) via (1) a long -cmd argument and (2) possibly other
  unspecified vectors.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-19 03:17:51 UTC
Please test and mark stable / mask the old versions.

FYI: As I know you can't see it from my mail address: I'm a security padawan http://www.gentoo.org/security/en/padawans.xml.
Comment 2 Markus Meier gentoo-dev 2008-10-19 14:33:49 UTC
amd64/x86 stable
Comment 3 Guy Martin (RETIRED) gentoo-dev 2008-10-19 17:11:52 UTC
hppa stable
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-10-19 20:30:54 UTC
adding graphics herd as maintainers
Comment 5 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2008-10-20 08:15:14 UTC
alpha stable
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2008-10-20 12:53:41 UTC
Sparc stable.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-10-21 14:50:16 UTC
please note that there are more unresolved issues in 2.84, as pointed out in $URL and https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/271020
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2008-10-21 17:25:34 UTC
ppc64 stable
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-22 16:12:08 UTC
This also applies:

Name:      CVE-2008-4639
URL:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4639
Published: 2008-10-21

jhead.c in Matthias Wandel jhead before 2.84 allows local users to
overwrite arbitrary files via a symlink attack on a temporary file.

Product (guessed): Matthias Wandel jhead

Comment 10 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-22 16:44:01 UTC
*** Bug 243238 has been marked as a duplicate of this bug. ***
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2008-10-22 19:14:50 UTC
ia64 stable
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-23 18:23:12 UTC
ppc stable
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-23 21:14:34 UTC
Ready for vote, I vote YES.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 18:45:55 UTC
YES, filed
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-01-11 00:48:38 UTC
GLSA 200901-02