Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21148
HistoryJan 14, 2009 - 12:00 a.m.

[ GLSA 200901-02 ] JHead: Multiple vulnerabilities

2009-01-1400:00:00
vulners.com
3
JSON

Gentoo Linux Security Advisory GLSA 200901-02

                                        http://security.gentoo.org/

Severity: Normal
Title: JHead: Multiple vulnerabilities
Date: January 11, 2009
Bugs: #242702, #243238
ID: 200901-02

Synopsis

Multiple vulnerabilities in JHead might lead to the execution of
arbitrary code or data loss.

Background

JHead is an exif jpeg header manipulation tool.

Affected packages

-------------------------------------------------------------------
 Package          /  Vulnerable  /                      Unaffected
-------------------------------------------------------------------

1 media-gfx/jhead < 2.84-r1 >= 2.84-r1

Description

Marc Merlin and John Dong reported multiple vulnerabilities in JHead:

  • A buffer overflow in the DoCommand() function when processing the
    cmd argument and related to potential string overflows
    (CVE-2008-4575).

  • An insecure creation of a temporary file (CVE-2008-4639).

  • A error when unlinking a file (CVE-2008-4640).

  • Insufficient escaping of shell metacharacters (CVE-2008-4641).

Impact

A remote attacker could possibly execute arbitrary code by enticing a
user or automated system to open a file with a long filename or via
unspecified vectors. It is also possible to trick a user into deleting
or overwriting files.

Workaround

There is no known workaround at this time.

Resolution

All JHead users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=media-gfx/jhead-2.84-r1&quot;

References

[ 1 ] CVE-2008-4575
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4575
[ 2 ] CVE-2008-4639
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4639
[ 3 ] CVE-2008-4640
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4640
[ 4 ] CVE-2008-4641
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4641

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200901-02.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Related

openvas 18
gentoo 1
securityvulns 1
nessus 9
fedora 4
ubuntucve 4
cve 4
prion 4
debiancve 4
openvas
openvas
Gentoo Security Advisory GLSA 200901-02 (jhead)
2009-01-13 00:00:00
Gentoo Security Advisory GLSA 200901-02 (jhead)
2009-01-13 00:00:00
Mandrake Security Advisory MDVSA-2009:041 (jhead)
2009-02-18 00:00:00
gentoo
gentoo
JHead: Multiple vulnerabilities
2009-01-11 00:00:00
securityvulns
securityvulns
JHead multiple security vulnerabilities
2009-01-14 00:00:00
nessus
nessus
openSUSE 10 Security Update : jhead (jhead-5899)
2009-01-11 00:00:00
openSUSE Security Update : jhead (jhead-399)
2009-07-21 00:00:00
GLSA-200901-02 : JHead: Multiple vulnerabilities
2009-01-12 00:00:00
fedora
fedora
[SECURITY] Fedora 9 Update: jhead-2.86-1.fc9
2009-03-05 16:33:33
[SECURITY] Fedora 10 Update: jhead-2.86-1.fc10
2009-03-05 16:32:37
[SECURITY] Fedora 8 Update: jhead-2.84-1.fc8
2008-10-20 22:06:04
ubuntucve
ubuntucve
CVE-2008-4639
2008-10-21 00:00:00
CVE-2008-4640
2008-10-21 00:00:00
CVE-2008-4641
2008-10-21 00:00:00
cve
cve
CVE-2008-4639
2008-10-21 18:00:00
CVE-2008-4640
2008-10-21 18:00:00
CVE-2008-4641
2008-10-21 18:00:00
prion
prion
Arbitrary file deletion
2008-10-21 18:00:00
Input validation
2008-10-21 18:00:00
Input validation
2008-10-21 18:00:00
debiancve
debiancve
CVE-2008-4640
2008-10-21 18:00:00
CVE-2008-4639
2008-10-21 18:00:00
CVE-2008-4641
2008-10-21 18:00:00
JSON
Related for SECURITYVULNS:DOC:21148
openvas18gentoo1securityvulns1nessus9fedora4ubuntucve4cve4prion4debiancve4