CVE-2019-19035 (https://nvd.nist.gov/vuln/detail/CVE-2019-19035): jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
Should be fixed in 3.04 according to https://bugzilla.redhat.com/show_bug.cgi?id=1765647#c1
@maintainer(s), please create an appropriate ebuild, and call for stabilisation when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67e090339cb570cde380194dbc8b68089d9de311 commit 67e090339cb570cde380194dbc8b68089d9de311 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-06-24 20:39:38 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2020-07-04 14:25:02 +0000 media-gfx/jhead: Security bump to 3.04 EAPI bumped, src_prepare refactored away, added PATCHES array instead with a patch that includes the effects of the previous patch. This patch also includes adding Makefile functionality to create a shared library that was removed upstream since the last version we have. Bug: https://bugs.gentoo.org/701826 Bug: https://bugs.gentoo.org/711220 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/16406 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> media-gfx/jhead/Manifest | 1 + .../files/jhead-3.04-mkstemp-fix-makefile.patch | 53 ++++++++++++++++++++++ media-gfx/jhead/jhead-3.04.ebuild | 24 ++++++++++ 3 files changed, 78 insertions(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=974f37f38f8a813afa0dd0c368d11bf7b8e5ccab commit 974f37f38f8a813afa0dd0c368d11bf7b8e5ccab Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-27 12:32:20 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-27 12:32:20 +0000 [ GLSA 202007-17 ] Add missing bug #701826 This does not change the severity or impact of the GLSA. Closes: https://bugs.gentoo.org/701826 Signed-off-by: Sam James <sam@gentoo.org> glsa-202007-17.xml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)