#502353 - jhead: Security issues fixed in 2.84

Debian Bug report logs - #502353
jhead: Security issues fixed in 2.84

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 15 Oct 2008 20:48:02 UTC

Severity: grave

Tags: security

Fixed in version jhead/2.84-1

Done: Ludovic Rousseau <rousseau@debian.org>

Bug is archived. No further changes may be made.

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Ludovic Rousseau <rousseau@debian.org>:
Bug#502353; Package jhead. (Wed, 15 Oct 2008 20:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Ludovic Rousseau <rousseau@debian.org>. (Wed, 15 Oct 2008 20:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: jhead Severity: grave Tags: security Justification: user security hole jhead fixes several unspecified security issues. Please see these references for details: http://www.sentex.net/~mwandel/jhead/changes.txt https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/271020 http://article.gmane.org/gmane.comp.security.oss.general/1064 http://article.gmane.org/gmane.comp.security.oss.general/1065 Kudos to Canonical for discovering the security implications three weeks ago and making the bug private without telling Debian. Seems like Greg KH was right after all. Cheers, Moritz -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=de_DE.UTF-8@euro, LC_CTYPE=de_DE.UTF-8@euro (charmap=UTF-8)

Reply sent to Ludovic Rousseau <rousseau@debian.org>:
You have taken responsibility. (Thu, 16 Oct 2008 20:00:05 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Thu, 16 Oct 2008 20:00:05 GMT) (full text, mbox, link).

Message #10 received at 502353-close@bugs.debian.org (full text, mbox, reply):

Source: jhead Source-Version: 2.84-1 We believe that the bug you reported is fixed in the latest version of jhead, which is due to be installed in the Debian FTP archive: jhead_2.84-1.diff.gz to pool/main/j/jhead/jhead_2.84-1.diff.gz jhead_2.84-1.dsc to pool/main/j/jhead/jhead_2.84-1.dsc jhead_2.84-1_amd64.deb to pool/main/j/jhead/jhead_2.84-1_amd64.deb jhead_2.84.orig.tar.gz to pool/main/j/jhead/jhead_2.84.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 502353@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ludovic Rousseau <rousseau@debian.org> (supplier of updated jhead package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 16 Oct 2008 21:13:02 +0200 Source: jhead Binary: jhead Architecture: source amd64 Version: 2.84-1 Distribution: unstable Urgency: high Maintainer: Ludovic Rousseau <rousseau@debian.org> Changed-By: Ludovic Rousseau <rousseau@debian.org> Description: jhead - manipulate the non-image part of Exif compliant JPEG files Closes: 502353 Changes: jhead (2.84-1) unstable; urgency=high . * New upstream release - Closes: #502353 "Security issues fixed in 2.84" - Fix CVE-2008-4575: "Buffer overflow in the DoCommand function in jhead before 2.84 might allow context-dependent attackers to cause a denial of service (crash) via (1) a long -cmd argument and (2) possibly other unspecified vectors." * debian/patches/05_jhead.1.dpatch: removed since applied upstream * debian/patches/10_jhead.1.dpatch: update since not all from 05_jhead.1.dpatch has been included upstream Checksums-Sha1: 7b68a01a40c5fc21e6b8a314b62a7d07114f746f 980 jhead_2.84-1.dsc a433e2a57268cea30e4e66b4627025058f05ab98 62111 jhead_2.84.orig.tar.gz 48ca1098004eeb1fbaff023bd845c5448f14beba 5854 jhead_2.84-1.diff.gz 376a5985c3704d90cd7a776194ab5dd71ddfe933 45690 jhead_2.84-1_amd64.deb Checksums-Sha256: 482fbbca6e6d31b2b076641c8b560af3f6ea03b9cd065fe8a6be8c2d92f0ffcb 980 jhead_2.84-1.dsc 734bf75354646daf28eaa0d453a09ee3cb39f4e2224a928dcfe6cfef7b4878a7 62111 jhead_2.84.orig.tar.gz 7a7d42de57ddae3e437353b20adcaeed34102fc426e72286d8311327f8b6fbed 5854 jhead_2.84-1.diff.gz 8177554d099fe0d0bb32ac5e4d1f06cd2569f7863b962b0fc7f2495f83d0f47b 45690 jhead_2.84-1_amd64.deb Files: 708800bf4949934f35d88645302b1b7e 980 graphics optional jhead_2.84-1.dsc 7150bb13dcd336ce46169f03025cb430 62111 graphics optional jhead_2.84.orig.tar.gz b975098c930fab866eb16f73fdc7506a 5854 graphics optional jhead_2.84-1.diff.gz c3919134c2c742033fa1dcd6c6d80be4 45690 graphics optional jhead_2.84-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkj3lF4ACgkQP0qKj+B/HPlv0wCbBm/HAiaxTbAXQiRWXV/OwrNz snIAn0x4z2i5D52qfnWx8IM359hu9iRj =zkdz -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 09:12:46 GMT) (full text, mbox, link).

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 12 02:18:22 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #502353 jhead: Security issues fixed in 2.84

Debian Bug report logs - #502353
jhead: Security issues fixed in 2.84