Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 908519 (CVE-2022-28550) - <media-gfx/jhead-3.08: buffer overflow vulnerability
Summary: <media-gfx/jhead-3.08: buffer overflow vulnerability
Alias: CVE-2022-28550
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [stable?]
Depends on:
Reported: 2023-06-15 05:43 UTC by John Helmert III
Modified: 2024-03-11 18:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-15 05:43:25 UTC
CVE-2022-28550 (

Matthias-Wandel/jhead jhead 3.06 is vulnerable to Buffer Overflow via shellescape(), jhead.c, jhead. jhead copies strings to a stack buffer when it detects a &i or &o. However, jhead does not check the boundary of the stack buffer. As a result, there will be a stack buffer overflow problem when multiple `&i` or `&o` are given.

Comment 1 Larry the Git Cow gentoo-dev 2024-03-11 18:49:48 UTC
The bug has been referenced in the following commit(s):

commit d4bf8684d408ef7310a7915ca277707350d708d6
Author:     Sam James <>
AuthorDate: 2024-03-11 18:02:02 +0000
Commit:     Sam James <>
CommitDate: 2024-03-11 18:02:11 +0000

    media-gfx/jhead: add 3.08
    Signed-off-by: Sam James <>

 media-gfx/jhead/Manifest                           |  1 +
 .../jhead/files/jhead-3.08-fix-makefile.patch      | 42 ++++++++++++++++++++++
 media-gfx/jhead/jhead-3.08.ebuild                  | 36 +++++++++++++++++++
 3 files changed, 79 insertions(+)