openSUSE has issued an advisories on April 22 and May 16: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SCW5XBSBEM6OUDLCSLS5UW7BSRNESS4J/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JPTEPBJVJFSKKHSTZER2JVIMRP7MGN2C/ The issues are fixed upstream in 3.06.0.1. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 3.06.0.1
Pushed the following pkgs to core/updates_testing: jhead-3.06.0.1-1.mga7 jhead-3.06.0.1-1.mga8
Assignee: jani.valimaa => qa-bugs
PoC's: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858744 https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858746 https://github.com/Matthias-Wandel/jhead/issues/33 Advisory: ======================== Updated jhead package fixes security vulnerabilities: jhead through 3.04 has a heap-based buffer over-read in process_DQT in jpgqguess.c (CVE-2020-6624). jhead through 3.04 has a heap-based buffer over-read in Get32s when called from ProcessGpsInfo in gpsinfo.c (CVE-2020-6625). A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file (CVE-2021-3496). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6624 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3496 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SCW5XBSBEM6OUDLCSLS5UW7BSRNESS4J/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JPTEPBJVJFSKKHSTZER2JVIMRP7MGN2C/
MGA7-64 Plasma on Lenovo B50 No installation issues. This is a toot to read EXIF from jpg $ jhead gedraaid.jpg File name : gedraaid.jpg File size : 1342848 bytes File date : 2021:06:23 15:18:47 Camera make : Canon Camera model : Canon IXUS 240 HS Date/Time : 2014:01:19 14:55:48 Resolution : 3456 x 4608 Flash used : No Focal length : 15.4mm (35mm equivalent: 90mm) CCD width : 6.17mm Exposure time: 0.125 s (1/8) Aperture : f/5.6 Focus dist. : 1.53m ISO equiv. : 1600 Whitebalance : Auto Metering Mode: pattern JPEG Quality : 75 Looks OK
CC: (none) => herman.viaeneWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
$ jhead ~/Download/whatididntlearninschool.jpg File name : /home/<user>/Download/whatididntlearninschool.jpg File size : 48621 bytes File date : 2015:08:22 06:24:23 Resolution : 500 x 500 Jpeg process : Progressive JPEG Quality : 71 ======= IPTC data: ======= OriginalTransmissionReference: PxkB_AgQm20tlacYorZI Spec. Instr. : FBMD01000abe03000043110000882a0000822b0000dc2c0000c44d0000ec7300001e770000d4790000257d0000edbd0000 Looks OK on x86_64.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0328.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed CVE-2021-2827[68]: https://ubuntu.com/security/notices/USN-6098-1
(In reply to David Walser from comment #7) > This update also fixed CVE-2021-2827[68]: > https://ubuntu.com/security/notices/USN-6098-1 as well as CVE-2020-26208.
(In reply to David Walser from comment #7) > This update also fixed CVE-2021-2827[68]: > https://ubuntu.com/security/notices/USN-6098-1 as well as CVE-2021-2827[57]: https://ubuntu.com/security/notices/USN-6110-1