openSUSE has issued an advisory on September 24: https://lists.opensuse.org/opensuse-updates/2018-09/msg00142.html Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Done for Cauldron and mga6!
CC: (none) => geiger.david68210
Advisory: ======================== Updated jhead package fixes security vulnerability: The ProcessGpsInfo function may have allowed a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling (CVE-2018-16554). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16554 https://lists.opensuse.org/opensuse-updates/2018-09/msg00142.html ======================== Updated packages in core/updates_testing: ======================== jhead-3.00-3.2.mga6 from jhead-3.00-3.2.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: bugsquad => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues $ jhead -v p4090005.jpg Exif header 24574 bytes long Exif section in Intel order (dir has 12 entries) ImageDescription = "OLYMPUS DIGITAL CAMERA " Make = "OLYMPUS IMAGING CORP. " Model = "E-500 " Orientation = 1 XResolution = 314/1 YResolution = 314/1 and loads more $ jhead -v dsc00107.jpg Exif header 15865 bytes long Exif section in Intel order (dir has 11 entries) ImageDescription = " " Make = "SONY" Model = "DSC-P200" Orientation = 1 XResolution = 72/1 YResolution = 72/1 etc..... Looks good
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
openSUSE has issued an advisory today (October 26): https://lists.opensuse.org/opensuse-updates/2018-10/msg00198.html It fixes an additional issue.
CC: (none) => qa-bugsAssignee: qa-bugs => geiger.david68210Summary: jhead new security issue CVE-2018-16554 => jhead new security issues CVE-2018-16554 and CVE-2018-17088
Fixed both Cauldron and mga6!
Advisory: ======================== Updated jhead package fixes security vulnerability: The ProcessGpsInfo function may have allowed a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling (CVE-2018-16554). The ProcessGpsInfo function may have allowed a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because there is an integer overflow during a check for whether a location exceeds the EXIF data length (CVE-2018-17088). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16554 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17088 https://lists.opensuse.org/opensuse-updates/2018-09/msg00142.html https://lists.opensuse.org/opensuse-updates/2018-10/msg00198.html ======================== Updated packages in core/updates_testing: ======================== jhead-3.00-3.3.mga6 from jhead-3.00-3.3.mga6.src.rpm
Whiteboard: MGA6-32-OK => (none)CC: qa-bugs => (none)Assignee: geiger.david68210 => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues At CLI: $ jhead 34815438.jpg File name : 34815438.jpg File size : 131213 bytes File date : 2016:05:12 19:43:56 Resolution : 500 x 375 JPEG Quality : 96 this is a file which is the result of various format conversions, so OK for me. $ jhead p4090007.jpg File name : p4090007.jpg File size : 4898553 bytes File date : 2016:05:12 19:43:57 Camera make : OLYMPUS IMAGING CORP. Camera model : E-500 Date/Time : 2006:04:09 15:13:12 Resolution : 3264 x 2448 Flash used : No (auto) Focal length : 24.0mm Exposure time: 0.167 s (1/6) Aperture : f/4.2 ISO equiv. : 100 Whitebalance : Auto Metering Mode: pattern Exposure : Creative Program (based towards depth of field) JPEG Quality : 100 this is a genuine picture downloaded from a camera. OK .
Whiteboard: (none) => MGA6-32-OK
Installed 64-bit version, then updated it. Package installed cleanly. I was going to validate on that basis alone, but decided to give it a quick try on an old photo, anyway. jhead p4230003.jpg File name : p4230003.jpg File size : 377160 bytes File date : 2009:04:23 13:40:46 Camera make : OLYMPUS OPTICAL CO.,LTD Camera model : C860L,D360L Date/Time : 2009:04:23 13:40:46 Resolution : 1280 x 960 Flash used : Yes Focal length : 5.5mm Exposure time: 0.033 s (1/30) Aperture : f/11.0 ISO equiv. : 125 Metering Mode: pattern Exposure : program (auto) JPEG Quality : 95 A genuine photo, downloaded years ago, from a camera I no longer use. OK here for 64-bit. Validating. Advisory in Comment 6.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Corrected TJ's x64 OK. Advisoried from c6.
Keywords: (none) => advisoryWhiteboard: MGA6-32-OK MGA-64-OK => MGA6-32-OK MGA6-64-OKCC: (none) => lewyssmith
Oops.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0457.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED