Bug 22565 - jhead new security issue CVE-2018-6612
Summary: jhead new security issue CVE-2018-6612
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-10 22:03 CET by David Walser
Modified: 2018-02-15 11:24 CET (History)
3 users (show)

See Also:
Source RPM: jhead-3.00-3.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-02-10 22:03:25 CET
openSUSE has issued an advisory today (February 10):
https://lists.opensuse.org/opensuse-updates/2018-02/msg00037.html

Mageia 6 is also affected.
David Walser 2018-02-10 22:03:33 CET

Whiteboard: (none) => MGA6TOO

David Walser 2018-02-10 22:05:48 CET

Status comment: (none) => Debian and openSUSE have patches

Comment 1 Marja van Waes 2018-02-11 17:35:08 CET
Assigning to the registered maintainer.

Assignee: bugsquad => jani.valimaa
CC: (none) => marja11

Comment 2 Jani Välimaa 2018-02-11 19:18:35 CET
Pushed fixed version to cauldron and mga6 core/updates_testing.

mga6 RPM and SRPM:
jhead-3.00-3.1.mga6

Assignee: jani.valimaa => qa-bugs

Thomas Backlund 2018-02-11 19:21:43 CET

Whiteboard: MGA6TOO => (none)
CC: (none) => tmb
Version: Cauldron => 6

Comment 3 David Walser 2018-02-11 20:46:21 CET
Advisory:
========================

Updated jhead package fixes security vulnerability:

An integer underflow bug in the process_EXIF function of the exif.c file of
jhead 3.00 raises a heap-based buffer over-read when processing a malicious JPEG
file, which may allow a remote attacker to cause a denial-of-service attack or
unspecified other impact (CVE-2018-6612).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6612
https://lists.opensuse.org/opensuse-updates/2018-02/msg00037.html

Status comment: Debian and openSUSE have patches => (none)

Comment 4 Herman Viaene 2018-02-15 11:24:51 CET
MGA6-32 on Dell Latitude D600
No installation issues
At CLI:
$ jhead P7212393.jpeg 
File name    : P7212393.jpeg
File size    : 9573842 bytes
File date    : 2013:11:11 08:46:16
Camera make  : OLYMPUS IMAGING CORP.  
Camera model : E-500           
Date/Time    : 2012:07:21 15:04:00
Resolution   : 3340 x 2504
Flash used   : No
Focal length : 31.0mm
Exposure time: 0.0100 s  (1/100)
Aperture     : f/18.0
ISO equiv.   : 100
Whitebalance : Manual
Metering Mode: spot
Exposure     : shutter priority (semi-auto)
JPEG Quality : 100
is OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK


Note You need to log in before you can comment on or make changes to this bug.