Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-3496 (GCVE-0-2021-3496)
Vulnerability from cvelistv5
Published
2021-04-22 00:00
Modified
2024-08-03 16:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| patrick@puiterwijk.org | https://bugzilla.redhat.com/show_bug.cgi?id=1949245 | Issue Tracking, Third Party Advisory | |
| patrick@puiterwijk.org | https://github.com/Matthias-Wandel/jhead/issues/33 | Exploit, Patch, Third Party Advisory | |
| patrick@puiterwijk.org | https://security.gentoo.org/glsa/202210-17 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1949245 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Matthias-Wandel/jhead/issues/33 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202210-17 | Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:53:17.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949245"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Matthias-Wandel/jhead/issues/33"
},
{
"name": "GLSA-202210-17",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-17"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jhead",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "jhead 3.06.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949245"
},
{
"url": "https://github.com/Matthias-Wandel/jhead/issues/33"
},
{
"name": "GLSA-202210-17",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-17"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2021-3496",
"datePublished": "2021-04-22T00:00:00",
"dateReserved": "2021-04-13T00:00:00",
"dateUpdated": "2024-08-03T16:53:17.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2021-3496\",\"sourceIdentifier\":\"patrick@puiterwijk.org\",\"published\":\"2021-04-22T19:15:07.450\",\"lastModified\":\"2024-11-21T06:21:40.943\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 un desbordamiento de b\u00fafer en la regi\u00f3n heap de la memoria en jhead en versi\u00f3n 3.06, en la funci\u00f3n Get16u() en el archivo exif.c cuando se procesa un archivo dise\u00f1ado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"patrick@puiterwijk.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jhead_project:jhead:3.06:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D05C20ED-B09A-43EE-8D82-0524C33E0E60\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1949245\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Matthias-Wandel/jhead/issues/33\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202210-17\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1949245\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Matthias-Wandel/jhead/issues/33\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202210-17\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
cnvd-2021-31664
Vulnerability from cnvd
Title: jhead堆缓冲区溢出漏洞(CNVD-2021-31664)
Description:
jhead是一款用于修改JPEG文件信息的工具。
jhead 3.06版本存在堆缓冲区溢出漏洞,该漏洞源于exif.c的Get16u参数缓冲区溢出。目前没有详细的漏洞细节提供。
Severity: 中
Patch Name: jhead堆缓冲区溢出漏洞(CNVD-2021-31664)的补丁
Patch Description:
jhead是一款用于修改JPEG文件信息的工具。
jhead 3.06版本存在堆缓冲区溢出漏洞,该漏洞源于exif.c的Get16u参数缓冲区溢出。目前没有详细的漏洞细节提供。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description:
厂商已发布了漏洞修复程序,请及时关注更新: https://github.com/Matthias-Wandel/jhead/commit/ca2973f4ce79279c15a09cf400648a757c1721b0
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-3496
Impacted products
| Name | Jhead jhead 3.06 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2021-3496",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-3496"
}
},
"description": "jhead\u662f\u4e00\u6b3e\u7528\u4e8e\u4fee\u6539JPEG\u6587\u4ef6\u4fe1\u606f\u7684\u5de5\u5177\u3002\n\njhead 3.06\u7248\u672c\u5b58\u5728\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eexif.c\u7684Get16u\u53c2\u6570\u7f13\u51b2\u533a\u6ea2\u51fa\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/Matthias-Wandel/jhead/commit/ca2973f4ce79279c15a09cf400648a757c1721b0",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-31664",
"openTime": "2021-04-28",
"patchDescription": "jhead\u662f\u4e00\u6b3e\u7528\u4e8e\u4fee\u6539JPEG\u6587\u4ef6\u4fe1\u606f\u7684\u5de5\u5177\u3002\r\n\r\njhead 3.06\u7248\u672c\u5b58\u5728\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eexif.c\u7684Get16u\u53c2\u6570\u7f13\u51b2\u533a\u6ea2\u51fa\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "jhead\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2021-31664\uff09\u7684\u8865\u4e01",
"products": {
"product": "Jhead jhead 3.06"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-3496",
"serverity": "\u4e2d",
"submitTime": "2021-04-23",
"title": "jhead\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2021-31664\uff09"
}
opensuse-su-2021:0594-1
Vulnerability from csaf_opensuse
Published
2021-04-22 18:05
Modified
2021-04-22 18:05
Summary
Security update for jhead
Notes
Title of the patch
Security update for jhead
Description of the patch
This update for jhead fixes the following issues:
- CVE-2021-3496: Fixed heap-based buffer overflow in Get16u() in exif.c (bsc#1184756)
Patchnames
openSUSE-2021-594
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for jhead",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for jhead fixes the following issues:\n\n- CVE-2021-3496: Fixed heap-based buffer overflow in Get16u() in exif.c (bsc#1184756)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-594",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0594-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0594-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SCW5XBSBEM6OUDLCSLS5UW7BSRNESS4J/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0594-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SCW5XBSBEM6OUDLCSLS5UW7BSRNESS4J/"
},
{
"category": "self",
"summary": "SUSE Bug 1184756",
"url": "https://bugzilla.suse.com/1184756"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3496 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3496/"
}
],
"title": "Security update for jhead",
"tracking": {
"current_release_date": "2021-04-22T18:05:18Z",
"generator": {
"date": "2021-04-22T18:05:18Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0594-1",
"initial_release_date": "2021-04-22T18:05:18Z",
"revision_history": [
{
"date": "2021-04-22T18:05:18Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.00-lp152.7.3.1.x86_64",
"product": {
"name": "jhead-3.00-lp152.7.3.1.x86_64",
"product_id": "jhead-3.00-lp152.7.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.00-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:jhead-3.00-lp152.7.3.1.x86_64"
},
"product_reference": "jhead-3.00-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-3496",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3496"
}
],
"notes": [
{
"category": "general",
"text": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:jhead-3.00-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3496",
"url": "https://www.suse.com/security/cve/CVE-2021-3496"
},
{
"category": "external",
"summary": "SUSE Bug 1184756 for CVE-2021-3496",
"url": "https://bugzilla.suse.com/1184756"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:jhead-3.00-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:jhead-3.00-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-04-22T18:05:18Z",
"details": "important"
}
],
"title": "CVE-2021-3496"
}
]
}
opensuse-su-2021:0743-1
Vulnerability from csaf_opensuse
Published
2021-05-16 14:04
Modified
2021-05-16 14:04
Summary
Security update for jhead
Notes
Title of the patch
Security update for jhead
Description of the patch
This update for jhead fixes the following issues:
jhead was updated to 3.06.0.1
* lot of fuzztest fixes
* Apply a whole bunch of patches from Debian.
* Spell check and fuzz test stuff from Debian, nothing useful to
human users.
* Add option to set exif date from date from another file.
* Bug fixes relating to fuzz testing.
* Fix bug where thumbnail replacement DID NOT WORK.
* Fix bug when no orientation tag is present
* Fix bug of not clearing exif information when processing images
with an without exif data in one invocation.
* Remove some unnecessary warnings with some types of GPS data
* Remove multiple copies of the same type of section when deleting
section types
Patchnames
openSUSE-2021-743
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for jhead",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for jhead fixes the following issues:\n\njhead was updated to 3.06.0.1\n\n* lot of fuzztest fixes\n* Apply a whole bunch of patches from Debian.\n* Spell check and fuzz test stuff from Debian, nothing useful to\n human users.\n* Add option to set exif date from date from another file.\n* Bug fixes relating to fuzz testing.\n* Fix bug where thumbnail replacement DID NOT WORK.\n* Fix bug when no orientation tag is present\n* Fix bug of not clearing exif information when processing images\n with an without exif data in one invocation.\n* Remove some unnecessary warnings with some types of GPS data\n* Remove multiple copies of the same type of section when deleting\n section types\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-743",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0743-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0743-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JPTEPBJVJFSKKHSTZER2JVIMRP7MGN2C/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0743-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JPTEPBJVJFSKKHSTZER2JVIMRP7MGN2C/"
},
{
"category": "self",
"summary": "SUSE Bug 1144316",
"url": "https://bugzilla.suse.com/1144316"
},
{
"category": "self",
"summary": "SUSE Bug 1144354",
"url": "https://bugzilla.suse.com/1144354"
},
{
"category": "self",
"summary": "SUSE Bug 1160544",
"url": "https://bugzilla.suse.com/1160544"
},
{
"category": "self",
"summary": "SUSE Bug 1160547",
"url": "https://bugzilla.suse.com/1160547"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-3822 page",
"url": "https://www.suse.com/security/cve/CVE-2016-3822/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16554 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16554/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-17088 page",
"url": "https://www.suse.com/security/cve/CVE-2018-17088/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-6612 page",
"url": "https://www.suse.com/security/cve/CVE-2018-6612/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-1010301 page",
"url": "https://www.suse.com/security/cve/CVE-2019-1010301/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-1010302 page",
"url": "https://www.suse.com/security/cve/CVE-2019-1010302/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-6624 page",
"url": "https://www.suse.com/security/cve/CVE-2020-6624/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-6625 page",
"url": "https://www.suse.com/security/cve/CVE-2020-6625/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3496 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3496/"
}
],
"title": "Security update for jhead",
"tracking": {
"current_release_date": "2021-05-16T14:04:45Z",
"generator": {
"date": "2021-05-16T14:04:45Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0743-1",
"initial_release_date": "2021-05-16T14:04:45Z",
"revision_history": [
{
"date": "2021-05-16T14:04:45Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.06.0.1-lp152.7.6.1.x86_64",
"product": {
"name": "jhead-3.06.0.1-lp152.7.6.1.x86_64",
"product_id": "jhead-3.06.0.1-lp152.7.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.06.0.1-lp152.7.6.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
},
"product_reference": "jhead-3.06.0.1-lp152.7.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-3822",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-3822"
}
],
"notes": [
{
"category": "general",
"text": "exif.c in Matthias Wandel jhead 2.87, as used in libjhead in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01, allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds access) via crafted EXIF data, aka internal bug 28868315.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-3822",
"url": "https://www.suse.com/security/cve/CVE-2016-3822"
},
{
"category": "external",
"summary": "SUSE Bug 1108480 for CVE-2016-3822",
"url": "https://bugzilla.suse.com/1108480"
},
{
"category": "external",
"summary": "SUSE Bug 1108672 for CVE-2016-3822",
"url": "https://bugzilla.suse.com/1108672"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-16T14:04:45Z",
"details": "low"
}
],
"title": "CVE-2016-3822"
},
{
"cve": "CVE-2018-16554",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16554"
}
],
"notes": [
{
"category": "general",
"text": "The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16554",
"url": "https://www.suse.com/security/cve/CVE-2018-16554"
},
{
"category": "external",
"summary": "SUSE Bug 1108480 for CVE-2018-16554",
"url": "https://bugzilla.suse.com/1108480"
},
{
"category": "external",
"summary": "SUSE Bug 1108672 for CVE-2018-16554",
"url": "https://bugzilla.suse.com/1108672"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-16T14:04:45Z",
"details": "low"
}
],
"title": "CVE-2018-16554"
},
{
"cve": "CVE-2018-17088",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-17088"
}
],
"notes": [
{
"category": "general",
"text": "The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because there is an integer overflow during a check for whether a location exceeds the EXIF data length. This is analogous to the CVE-2016-3822 integer overflow in exif.c. This gpsinfo.c vulnerability is unrelated to the CVE-2018-16554 gpsinfo.c vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-17088",
"url": "https://www.suse.com/security/cve/CVE-2018-17088"
},
{
"category": "external",
"summary": "SUSE Bug 1108480 for CVE-2018-17088",
"url": "https://bugzilla.suse.com/1108480"
},
{
"category": "external",
"summary": "SUSE Bug 1108672 for CVE-2018-17088",
"url": "https://bugzilla.suse.com/1108672"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-16T14:04:45Z",
"details": "low"
}
],
"title": "CVE-2018-17088"
},
{
"cve": "CVE-2018-6612",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-6612"
}
],
"notes": [
{
"category": "general",
"text": "An integer underflow bug in the process_EXIF function of the exif.c file of jhead 3.00 raises a heap-based buffer over-read when processing a malicious JPEG file, which may allow a remote attacker to cause a denial-of-service attack or unspecified other impact.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-6612",
"url": "https://www.suse.com/security/cve/CVE-2018-6612"
},
{
"category": "external",
"summary": "SUSE Bug 1079349 for CVE-2018-6612",
"url": "https://bugzilla.suse.com/1079349"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-16T14:04:45Z",
"details": "moderate"
}
],
"title": "CVE-2018-6612"
},
{
"cve": "CVE-2019-1010301",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-1010301"
}
],
"notes": [
{
"category": "general",
"text": "jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of service. The component is: gpsinfo.c Line 151 ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-1010301",
"url": "https://www.suse.com/security/cve/CVE-2019-1010301"
},
{
"category": "external",
"summary": "SUSE Bug 1144316 for CVE-2019-1010301",
"url": "https://bugzilla.suse.com/1144316"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-16T14:04:45Z",
"details": "low"
}
],
"title": "CVE-2019-1010301"
},
{
"cve": "CVE-2019-1010302",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-1010302"
}
],
"notes": [
{
"category": "general",
"text": "jhead 3.03 is affected by: Incorrect Access Control. The impact is: Denial of service. The component is: iptc.c Line 122 show_IPTC(). The attack vector is: the victim must open a specially crafted JPEG file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-1010302",
"url": "https://www.suse.com/security/cve/CVE-2019-1010302"
},
{
"category": "external",
"summary": "SUSE Bug 1144354 for CVE-2019-1010302",
"url": "https://bugzilla.suse.com/1144354"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-16T14:04:45Z",
"details": "low"
}
],
"title": "CVE-2019-1010302"
},
{
"cve": "CVE-2020-6624",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-6624"
}
],
"notes": [
{
"category": "general",
"text": "jhead through 3.04 has a heap-based buffer over-read in process_DQT in jpgqguess.c.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-6624",
"url": "https://www.suse.com/security/cve/CVE-2020-6624"
},
{
"category": "external",
"summary": "SUSE Bug 1160547 for CVE-2020-6624",
"url": "https://bugzilla.suse.com/1160547"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-16T14:04:45Z",
"details": "important"
}
],
"title": "CVE-2020-6624"
},
{
"cve": "CVE-2020-6625",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-6625"
}
],
"notes": [
{
"category": "general",
"text": "jhead through 3.04 has a heap-based buffer over-read in Get32s when called from ProcessGpsInfo in gpsinfo.c.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-6625",
"url": "https://www.suse.com/security/cve/CVE-2020-6625"
},
{
"category": "external",
"summary": "SUSE Bug 1160544 for CVE-2020-6625",
"url": "https://bugzilla.suse.com/1160544"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-16T14:04:45Z",
"details": "important"
}
],
"title": "CVE-2020-6625"
},
{
"cve": "CVE-2021-3496",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3496"
}
],
"notes": [
{
"category": "general",
"text": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3496",
"url": "https://www.suse.com/security/cve/CVE-2021-3496"
},
{
"category": "external",
"summary": "SUSE Bug 1184756 for CVE-2021-3496",
"url": "https://bugzilla.suse.com/1184756"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-16T14:04:45Z",
"details": "important"
}
],
"title": "CVE-2021-3496"
}
]
}
opensuse-su-2021:0620-1
Vulnerability from csaf_opensuse
Published
2021-04-26 04:05
Modified
2021-04-26 04:05
Summary
Security update for jhead
Notes
Title of the patch
Security update for jhead
Description of the patch
This update for jhead fixes the following issues:
- CVE-2021-3496: Fixed heap-based buffer overflow in Get16u() in exif.c (bsc#1184756)
This update was imported from the openSUSE:Leap:15.2:Update update project.
Patchnames
openSUSE-2021-620
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for jhead",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for jhead fixes the following issues:\n\n- CVE-2021-3496: Fixed heap-based buffer overflow in Get16u() in exif.c (bsc#1184756)\n\nThis update was imported from the openSUSE:Leap:15.2:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-620",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0620-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0620-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZXG5OVP6VGZDHK4MFFT7R3RG7DSWAZ4D/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0620-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZXG5OVP6VGZDHK4MFFT7R3RG7DSWAZ4D/"
},
{
"category": "self",
"summary": "SUSE Bug 1184756",
"url": "https://bugzilla.suse.com/1184756"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3496 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3496/"
}
],
"title": "Security update for jhead",
"tracking": {
"current_release_date": "2021-04-26T04:05:12Z",
"generator": {
"date": "2021-04-26T04:05:12Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0620-1",
"initial_release_date": "2021-04-26T04:05:12Z",
"revision_history": [
{
"date": "2021-04-26T04:05:12Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.00-bp152.4.3.1.aarch64",
"product": {
"name": "jhead-3.00-bp152.4.3.1.aarch64",
"product_id": "jhead-3.00-bp152.4.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.00-bp152.4.3.1.ppc64le",
"product": {
"name": "jhead-3.00-bp152.4.3.1.ppc64le",
"product_id": "jhead-3.00-bp152.4.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.00-bp152.4.3.1.s390x",
"product": {
"name": "jhead-3.00-bp152.4.3.1.s390x",
"product_id": "jhead-3.00-bp152.4.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.00-bp152.4.3.1.x86_64",
"product": {
"name": "jhead-3.00-bp152.4.3.1.x86_64",
"product_id": "jhead-3.00-bp152.4.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP2",
"product": {
"name": "SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.00-bp152.4.3.1.aarch64 as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.aarch64"
},
"product_reference": "jhead-3.00-bp152.4.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.00-bp152.4.3.1.ppc64le as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.ppc64le"
},
"product_reference": "jhead-3.00-bp152.4.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.00-bp152.4.3.1.s390x as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.s390x"
},
"product_reference": "jhead-3.00-bp152.4.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.00-bp152.4.3.1.x86_64 as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.x86_64"
},
"product_reference": "jhead-3.00-bp152.4.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-3496",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3496"
}
],
"notes": [
{
"category": "general",
"text": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3496",
"url": "https://www.suse.com/security/cve/CVE-2021-3496"
},
{
"category": "external",
"summary": "SUSE Bug 1184756 for CVE-2021-3496",
"url": "https://bugzilla.suse.com/1184756"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.00-bp152.4.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-04-26T04:05:12Z",
"details": "important"
}
],
"title": "CVE-2021-3496"
}
]
}
opensuse-su-2021:0752-1
Vulnerability from csaf_opensuse
Published
2021-05-19 16:05
Modified
2021-05-19 16:05
Summary
Security update for jhead
Notes
Title of the patch
Security update for jhead
Description of the patch
This update for jhead fixes the following issues:
jhead was updated to 3.06.0.1
* lot of fuzztest fixes
* Apply a whole bunch of patches from Debian.
* Spell check and fuzz test stuff from Debian, nothing useful to
human users.
* Add option to set exif date from date from another file.
* Bug fixes relating to fuzz testing.
* Fix bug where thumbnail replacement DID NOT WORK.
* Fix bug when no orientation tag is present
* Fix bug of not clearing exif information when processing images
with an without exif data in one invocation.
* Remove some unnecessary warnings with some types of GPS data
* Remove multiple copies of the same type of section when deleting
section types
This update was imported from the openSUSE:Leap:15.2:Update update project.
Patchnames
openSUSE-2021-752
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for jhead",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for jhead fixes the following issues:\n\njhead was updated to 3.06.0.1\n\n* lot of fuzztest fixes\n* Apply a whole bunch of patches from Debian.\n* Spell check and fuzz test stuff from Debian, nothing useful to\n human users.\n* Add option to set exif date from date from another file.\n* Bug fixes relating to fuzz testing.\n* Fix bug where thumbnail replacement DID NOT WORK.\n* Fix bug when no orientation tag is present\n* Fix bug of not clearing exif information when processing images\n with an without exif data in one invocation.\n* Remove some unnecessary warnings with some types of GPS data\n* Remove multiple copies of the same type of section when deleting\n section types\n\nThis update was imported from the openSUSE:Leap:15.2:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-752",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0752-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0752-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3GBTHCPCHWJ3JG5IDEDAYSW5LVUEVXYH/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0752-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3GBTHCPCHWJ3JG5IDEDAYSW5LVUEVXYH/"
},
{
"category": "self",
"summary": "SUSE Bug 1144316",
"url": "https://bugzilla.suse.com/1144316"
},
{
"category": "self",
"summary": "SUSE Bug 1144354",
"url": "https://bugzilla.suse.com/1144354"
},
{
"category": "self",
"summary": "SUSE Bug 1160544",
"url": "https://bugzilla.suse.com/1160544"
},
{
"category": "self",
"summary": "SUSE Bug 1160547",
"url": "https://bugzilla.suse.com/1160547"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-3822 page",
"url": "https://www.suse.com/security/cve/CVE-2016-3822/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16554 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16554/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-17088 page",
"url": "https://www.suse.com/security/cve/CVE-2018-17088/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-6612 page",
"url": "https://www.suse.com/security/cve/CVE-2018-6612/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-1010301 page",
"url": "https://www.suse.com/security/cve/CVE-2019-1010301/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-1010302 page",
"url": "https://www.suse.com/security/cve/CVE-2019-1010302/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-6624 page",
"url": "https://www.suse.com/security/cve/CVE-2020-6624/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-6625 page",
"url": "https://www.suse.com/security/cve/CVE-2020-6625/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3496 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3496/"
}
],
"title": "Security update for jhead",
"tracking": {
"current_release_date": "2021-05-19T16:05:20Z",
"generator": {
"date": "2021-05-19T16:05:20Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0752-1",
"initial_release_date": "2021-05-19T16:05:20Z",
"revision_history": [
{
"date": "2021-05-19T16:05:20Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.06.0.1-bp152.4.6.1.aarch64",
"product": {
"name": "jhead-3.06.0.1-bp152.4.6.1.aarch64",
"product_id": "jhead-3.06.0.1-bp152.4.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"product": {
"name": "jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"product_id": "jhead-3.06.0.1-bp152.4.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.06.0.1-bp152.4.6.1.s390x",
"product": {
"name": "jhead-3.06.0.1-bp152.4.6.1.s390x",
"product_id": "jhead-3.06.0.1-bp152.4.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.06.0.1-bp152.4.6.1.x86_64",
"product": {
"name": "jhead-3.06.0.1-bp152.4.6.1.x86_64",
"product_id": "jhead-3.06.0.1-bp152.4.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP2",
"product": {
"name": "SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.06.0.1-bp152.4.6.1.aarch64 as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64"
},
"product_reference": "jhead-3.06.0.1-bp152.4.6.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.06.0.1-bp152.4.6.1.ppc64le as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le"
},
"product_reference": "jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.06.0.1-bp152.4.6.1.s390x as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x"
},
"product_reference": "jhead-3.06.0.1-bp152.4.6.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.06.0.1-bp152.4.6.1.x86_64 as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
},
"product_reference": "jhead-3.06.0.1-bp152.4.6.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-3822",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-3822"
}
],
"notes": [
{
"category": "general",
"text": "exif.c in Matthias Wandel jhead 2.87, as used in libjhead in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01, allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds access) via crafted EXIF data, aka internal bug 28868315.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-3822",
"url": "https://www.suse.com/security/cve/CVE-2016-3822"
},
{
"category": "external",
"summary": "SUSE Bug 1108480 for CVE-2016-3822",
"url": "https://bugzilla.suse.com/1108480"
},
{
"category": "external",
"summary": "SUSE Bug 1108672 for CVE-2016-3822",
"url": "https://bugzilla.suse.com/1108672"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-19T16:05:20Z",
"details": "low"
}
],
"title": "CVE-2016-3822"
},
{
"cve": "CVE-2018-16554",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16554"
}
],
"notes": [
{
"category": "general",
"text": "The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16554",
"url": "https://www.suse.com/security/cve/CVE-2018-16554"
},
{
"category": "external",
"summary": "SUSE Bug 1108480 for CVE-2018-16554",
"url": "https://bugzilla.suse.com/1108480"
},
{
"category": "external",
"summary": "SUSE Bug 1108672 for CVE-2018-16554",
"url": "https://bugzilla.suse.com/1108672"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-19T16:05:20Z",
"details": "low"
}
],
"title": "CVE-2018-16554"
},
{
"cve": "CVE-2018-17088",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-17088"
}
],
"notes": [
{
"category": "general",
"text": "The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because there is an integer overflow during a check for whether a location exceeds the EXIF data length. This is analogous to the CVE-2016-3822 integer overflow in exif.c. This gpsinfo.c vulnerability is unrelated to the CVE-2018-16554 gpsinfo.c vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-17088",
"url": "https://www.suse.com/security/cve/CVE-2018-17088"
},
{
"category": "external",
"summary": "SUSE Bug 1108480 for CVE-2018-17088",
"url": "https://bugzilla.suse.com/1108480"
},
{
"category": "external",
"summary": "SUSE Bug 1108672 for CVE-2018-17088",
"url": "https://bugzilla.suse.com/1108672"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-19T16:05:20Z",
"details": "low"
}
],
"title": "CVE-2018-17088"
},
{
"cve": "CVE-2018-6612",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-6612"
}
],
"notes": [
{
"category": "general",
"text": "An integer underflow bug in the process_EXIF function of the exif.c file of jhead 3.00 raises a heap-based buffer over-read when processing a malicious JPEG file, which may allow a remote attacker to cause a denial-of-service attack or unspecified other impact.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-6612",
"url": "https://www.suse.com/security/cve/CVE-2018-6612"
},
{
"category": "external",
"summary": "SUSE Bug 1079349 for CVE-2018-6612",
"url": "https://bugzilla.suse.com/1079349"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-19T16:05:20Z",
"details": "moderate"
}
],
"title": "CVE-2018-6612"
},
{
"cve": "CVE-2019-1010301",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-1010301"
}
],
"notes": [
{
"category": "general",
"text": "jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of service. The component is: gpsinfo.c Line 151 ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-1010301",
"url": "https://www.suse.com/security/cve/CVE-2019-1010301"
},
{
"category": "external",
"summary": "SUSE Bug 1144316 for CVE-2019-1010301",
"url": "https://bugzilla.suse.com/1144316"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-19T16:05:20Z",
"details": "low"
}
],
"title": "CVE-2019-1010301"
},
{
"cve": "CVE-2019-1010302",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-1010302"
}
],
"notes": [
{
"category": "general",
"text": "jhead 3.03 is affected by: Incorrect Access Control. The impact is: Denial of service. The component is: iptc.c Line 122 show_IPTC(). The attack vector is: the victim must open a specially crafted JPEG file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-1010302",
"url": "https://www.suse.com/security/cve/CVE-2019-1010302"
},
{
"category": "external",
"summary": "SUSE Bug 1144354 for CVE-2019-1010302",
"url": "https://bugzilla.suse.com/1144354"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-19T16:05:20Z",
"details": "low"
}
],
"title": "CVE-2019-1010302"
},
{
"cve": "CVE-2020-6624",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-6624"
}
],
"notes": [
{
"category": "general",
"text": "jhead through 3.04 has a heap-based buffer over-read in process_DQT in jpgqguess.c.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-6624",
"url": "https://www.suse.com/security/cve/CVE-2020-6624"
},
{
"category": "external",
"summary": "SUSE Bug 1160547 for CVE-2020-6624",
"url": "https://bugzilla.suse.com/1160547"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-19T16:05:20Z",
"details": "important"
}
],
"title": "CVE-2020-6624"
},
{
"cve": "CVE-2020-6625",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-6625"
}
],
"notes": [
{
"category": "general",
"text": "jhead through 3.04 has a heap-based buffer over-read in Get32s when called from ProcessGpsInfo in gpsinfo.c.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-6625",
"url": "https://www.suse.com/security/cve/CVE-2020-6625"
},
{
"category": "external",
"summary": "SUSE Bug 1160544 for CVE-2020-6625",
"url": "https://bugzilla.suse.com/1160544"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-19T16:05:20Z",
"details": "important"
}
],
"title": "CVE-2020-6625"
},
{
"cve": "CVE-2021-3496",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3496"
}
],
"notes": [
{
"category": "general",
"text": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3496",
"url": "https://www.suse.com/security/cve/CVE-2021-3496"
},
{
"category": "external",
"summary": "SUSE Bug 1184756 for CVE-2021-3496",
"url": "https://bugzilla.suse.com/1184756"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.aarch64",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.ppc64le",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.s390x",
"SUSE Package Hub 15 SP2:jhead-3.06.0.1-bp152.4.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-19T16:05:20Z",
"details": "important"
}
],
"title": "CVE-2021-3496"
}
]
}
opensuse-su-2024:10880-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
jhead-3.06.0.1-1.3 on GA media
Notes
Title of the patch
jhead-3.06.0.1-1.3 on GA media
Description of the patch
These are all security issues fixed in the jhead-3.06.0.1-1.3 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-10880
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "jhead-3.06.0.1-1.3 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the jhead-3.06.0.1-1.3 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10880",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10880-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-3822 page",
"url": "https://www.suse.com/security/cve/CVE-2016-3822/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16554 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16554/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-17088 page",
"url": "https://www.suse.com/security/cve/CVE-2018-17088/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-6612 page",
"url": "https://www.suse.com/security/cve/CVE-2018-6612/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3496 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3496/"
}
],
"title": "jhead-3.06.0.1-1.3 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10880-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.06.0.1-1.3.aarch64",
"product": {
"name": "jhead-3.06.0.1-1.3.aarch64",
"product_id": "jhead-3.06.0.1-1.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.06.0.1-1.3.ppc64le",
"product": {
"name": "jhead-3.06.0.1-1.3.ppc64le",
"product_id": "jhead-3.06.0.1-1.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.06.0.1-1.3.s390x",
"product": {
"name": "jhead-3.06.0.1-1.3.s390x",
"product_id": "jhead-3.06.0.1-1.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jhead-3.06.0.1-1.3.x86_64",
"product": {
"name": "jhead-3.06.0.1-1.3.x86_64",
"product_id": "jhead-3.06.0.1-1.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.06.0.1-1.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64"
},
"product_reference": "jhead-3.06.0.1-1.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.06.0.1-1.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le"
},
"product_reference": "jhead-3.06.0.1-1.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.06.0.1-1.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x"
},
"product_reference": "jhead-3.06.0.1-1.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jhead-3.06.0.1-1.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
},
"product_reference": "jhead-3.06.0.1-1.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-3822",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-3822"
}
],
"notes": [
{
"category": "general",
"text": "exif.c in Matthias Wandel jhead 2.87, as used in libjhead in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01, allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds access) via crafted EXIF data, aka internal bug 28868315.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-3822",
"url": "https://www.suse.com/security/cve/CVE-2016-3822"
},
{
"category": "external",
"summary": "SUSE Bug 1108480 for CVE-2016-3822",
"url": "https://bugzilla.suse.com/1108480"
},
{
"category": "external",
"summary": "SUSE Bug 1108672 for CVE-2016-3822",
"url": "https://bugzilla.suse.com/1108672"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2016-3822"
},
{
"cve": "CVE-2018-16554",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16554"
}
],
"notes": [
{
"category": "general",
"text": "The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16554",
"url": "https://www.suse.com/security/cve/CVE-2018-16554"
},
{
"category": "external",
"summary": "SUSE Bug 1108480 for CVE-2018-16554",
"url": "https://bugzilla.suse.com/1108480"
},
{
"category": "external",
"summary": "SUSE Bug 1108672 for CVE-2018-16554",
"url": "https://bugzilla.suse.com/1108672"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2018-16554"
},
{
"cve": "CVE-2018-17088",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-17088"
}
],
"notes": [
{
"category": "general",
"text": "The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because there is an integer overflow during a check for whether a location exceeds the EXIF data length. This is analogous to the CVE-2016-3822 integer overflow in exif.c. This gpsinfo.c vulnerability is unrelated to the CVE-2018-16554 gpsinfo.c vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-17088",
"url": "https://www.suse.com/security/cve/CVE-2018-17088"
},
{
"category": "external",
"summary": "SUSE Bug 1108480 for CVE-2018-17088",
"url": "https://bugzilla.suse.com/1108480"
},
{
"category": "external",
"summary": "SUSE Bug 1108672 for CVE-2018-17088",
"url": "https://bugzilla.suse.com/1108672"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2018-17088"
},
{
"cve": "CVE-2018-6612",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-6612"
}
],
"notes": [
{
"category": "general",
"text": "An integer underflow bug in the process_EXIF function of the exif.c file of jhead 3.00 raises a heap-based buffer over-read when processing a malicious JPEG file, which may allow a remote attacker to cause a denial-of-service attack or unspecified other impact.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-6612",
"url": "https://www.suse.com/security/cve/CVE-2018-6612"
},
{
"category": "external",
"summary": "SUSE Bug 1079349 for CVE-2018-6612",
"url": "https://bugzilla.suse.com/1079349"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-6612"
},
{
"cve": "CVE-2021-3496",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3496"
}
],
"notes": [
{
"category": "general",
"text": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3496",
"url": "https://www.suse.com/security/cve/CVE-2021-3496"
},
{
"category": "external",
"summary": "SUSE Bug 1184756 for CVE-2021-3496",
"url": "https://bugzilla.suse.com/1184756"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.aarch64",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.ppc64le",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.s390x",
"openSUSE Tumbleweed:jhead-3.06.0.1-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-3496"
}
]
}
fkie_cve-2021-3496
Vulnerability from fkie_nvd
Published
2021-04-22 19:15
Modified
2024-11-21 06:21
Severity ?
Summary
A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| patrick@puiterwijk.org | https://bugzilla.redhat.com/show_bug.cgi?id=1949245 | Issue Tracking, Third Party Advisory | |
| patrick@puiterwijk.org | https://github.com/Matthias-Wandel/jhead/issues/33 | Exploit, Patch, Third Party Advisory | |
| patrick@puiterwijk.org | https://security.gentoo.org/glsa/202210-17 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1949245 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Matthias-Wandel/jhead/issues/33 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202210-17 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jhead_project | jhead | 3.06 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jhead_project:jhead:3.06:*:*:*:*:*:*:*",
"matchCriteriaId": "D05C20ED-B09A-43EE-8D82-0524C33E0E60",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file."
},
{
"lang": "es",
"value": "Se encontr\u00f3 un desbordamiento de b\u00fafer en la regi\u00f3n heap de la memoria en jhead en versi\u00f3n 3.06, en la funci\u00f3n Get16u() en el archivo exif.c cuando se procesa un archivo dise\u00f1ado"
}
],
"id": "CVE-2021-3496",
"lastModified": "2024-11-21T06:21:40.943",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-22T19:15:07.450",
"references": [
{
"source": "patrick@puiterwijk.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949245"
},
{
"source": "patrick@puiterwijk.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Matthias-Wandel/jhead/issues/33"
},
{
"source": "patrick@puiterwijk.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202210-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949245"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Matthias-Wandel/jhead/issues/33"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202210-17"
}
],
"sourceIdentifier": "patrick@puiterwijk.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "patrick@puiterwijk.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
gsd-2021-3496
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-3496",
"description": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.",
"id": "GSD-2021-3496",
"references": [
"https://www.suse.com/security/cve/CVE-2021-3496.html",
"https://advisories.mageia.org/CVE-2021-3496.html",
"https://security.archlinux.org/CVE-2021-3496"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-3496"
],
"details": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.",
"id": "GSD-2021-3496",
"modified": "2023-12-13T01:23:35.092128Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "patrick@puiterwijk.org",
"ID": "CVE-2021-3496",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jhead",
"version": {
"version_data": [
{
"version_value": "jhead 3.06.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-119"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1949245",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949245"
},
{
"name": "https://github.com/Matthias-Wandel/jhead/issues/33",
"refsource": "MISC",
"url": "https://github.com/Matthias-Wandel/jhead/issues/33"
},
{
"name": "GLSA-202210-17",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202210-17"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:jhead_project:jhead:3.06:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@elastic.co",
"ID": "CVE-2021-3496"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1949245",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949245"
},
{
"name": "https://github.com/Matthias-Wandel/jhead/issues/33",
"refsource": "MISC",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Matthias-Wandel/jhead/issues/33"
},
{
"name": "GLSA-202210-17",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202210-17"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-12-07T01:18Z",
"publishedDate": "2021-04-22T19:15Z"
}
}
}
ghsa-rvxv-5pj2-85pq
Vulnerability from github
Published
2022-05-24 17:48
Modified
2022-10-31 12:00
Severity ?
VLAI Severity ?
Details
A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.
{
"affected": [],
"aliases": [
"CVE-2021-3496"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-22T19:15:00Z",
"severity": "HIGH"
},
"details": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.",
"id": "GHSA-rvxv-5pj2-85pq",
"modified": "2022-10-31T12:00:22Z",
"published": "2022-05-24T17:48:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3496"
},
{
"type": "WEB",
"url": "https://github.com/Matthias-Wandel/jhead/issues/33"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949245"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202210-17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…