Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 243238 (CVE-2008-4640) - media-gfx/jhead <2.84-r1 Multiple vulnerabilities (CVE-2008-{4640,4641})
Summary: media-gfx/jhead <2.84-r1 Multiple vulnerabilities (CVE-2008-{4640,4641})
Status: RESOLVED FIXED
Alias: CVE-2008-4640
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-22 16:18 UTC by Stefan Behte (RETIRED)
Modified: 2009-01-11 00:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-22 16:18:36 UTC
CVE-2008-4640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4640):
  The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and
  earlier allows local users to delete arbitrary files via vectors
  involving a modified input filename in which (1) a final "z"
  character is replaced by a "t" character or (2) a final "t" character
  is replaced by a "z" character.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-22 16:19:37 UTC
CVE-2008-4641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4641):
  The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and
  earlier allows attackers to execute arbitrary commands via shell
  metacharacters in unspecified input.

Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-22 16:29:32 UTC
CVE-2008-4641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4641):
  The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and
  earlier allows attackers to execute arbitrary commands via shell
  metacharacters in unspecified input.

Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-22 16:31:39 UTC
Whoops, sorry about the dupe...
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-22 16:44:01 UTC

*** This bug has been marked as a duplicate of bug 242702 ***
Comment 5 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-22 16:46:42 UTC
I fail. This bug is not a dupe of course.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 21:19:13 UTC
Debian ships a 2.85 release, but I cannot find that upstream:
http://ftp.de.debian.org/debian/pool/main/j/jhead/jhead_2.85.orig.tar.gz

Upstream claims this fixes both issues in this bug. I mailed upstream for clarification of the release.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 22:20:02 UTC
discussion with upstream yielded that Debian took one of the snapshots available on the jhead website and called that "2.85". Upstream does not plan a release any sooner than "early next year".

I think we should fix this bug before that, either by extracting the relevant patch from the latest snapshot, or by bumping to that snapshot. Comments?
Comment 8 Markus Meier gentoo-dev 2008-11-28 18:28:17 UTC
+*jhead-2.84-r1 (28 Nov 2008)
+
+  28 Nov 2008; Markus Meier <maekke@gentoo.org>
+  +files/jhead-2.84-bug243238.patch, +jhead-2.84-r1.ebuild:
+  bump for security bug #243238
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-11-28 18:43:01 UTC
Arches, please test and mark stable:
=media-gfx/jhead-2.84-r1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-28 22:03:11 UTC
ppc stable
Comment 11 Jeroen Roovers gentoo-dev 2008-11-29 16:49:46 UTC
Stable for HPPA.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-11-29 16:56:32 UTC
alpha/ia64/sparc/x86 stable
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 16:32:53 UTC
amd64, ppc64: *ping*
Comment 14 Markus Meier gentoo-dev 2008-11-30 17:15:48 UTC
amd64 stable
Comment 15 Brent Baude (RETIRED) gentoo-dev 2008-12-01 15:52:12 UTC
ppc64 done
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-07 11:05:30 UTC
GLSA together with bug 242702.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2009-01-11 00:48:25 UTC
GLSA 200901-02