opensuse-su-2021:0743-1
Vulnerability from csaf_opensuse
Published
2021-05-16 14:04
Modified
2021-05-16 14:04
Summary
Security update for jhead
Notes
Title of the patch
Security update for jhead
Description of the patch
This update for jhead fixes the following issues:
jhead was updated to 3.06.0.1
* lot of fuzztest fixes
* Apply a whole bunch of patches from Debian.
* Spell check and fuzz test stuff from Debian, nothing useful to
human users.
* Add option to set exif date from date from another file.
* Bug fixes relating to fuzz testing.
* Fix bug where thumbnail replacement DID NOT WORK.
* Fix bug when no orientation tag is present
* Fix bug of not clearing exif information when processing images
with an without exif data in one invocation.
* Remove some unnecessary warnings with some types of GPS data
* Remove multiple copies of the same type of section when deleting
section types
Patchnames
openSUSE-2021-743
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for jhead", "title": "Title of the patch" }, { "category": "description", "text": "This update for jhead fixes the following issues:\n\njhead was updated to 3.06.0.1\n\n* lot of fuzztest fixes\n* Apply a whole bunch of patches from Debian.\n* Spell check and fuzz test stuff from Debian, nothing useful to\n human users.\n* Add option to set exif date from date from another file.\n* Bug fixes relating to fuzz testing.\n* Fix bug where thumbnail replacement DID NOT WORK.\n* Fix bug when no orientation tag is present\n* Fix bug of not clearing exif information when processing images\n with an without exif data in one invocation.\n* Remove some unnecessary warnings with some types of GPS data\n* Remove multiple copies of the same type of section when deleting\n section types\n", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-2021-743", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0743-1.json" }, { "category": "self", "summary": "URL for openSUSE-SU-2021:0743-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JPTEPBJVJFSKKHSTZER2JVIMRP7MGN2C/" }, { "category": "self", "summary": "E-Mail link for openSUSE-SU-2021:0743-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JPTEPBJVJFSKKHSTZER2JVIMRP7MGN2C/" }, { "category": "self", "summary": "SUSE Bug 1144316", "url": "https://bugzilla.suse.com/1144316" }, { "category": "self", "summary": "SUSE Bug 1144354", "url": "https://bugzilla.suse.com/1144354" }, { "category": "self", "summary": "SUSE Bug 1160544", "url": "https://bugzilla.suse.com/1160544" }, { "category": "self", "summary": "SUSE Bug 1160547", "url": "https://bugzilla.suse.com/1160547" }, { "category": "self", "summary": "SUSE CVE CVE-2016-3822 page", "url": "https://www.suse.com/security/cve/CVE-2016-3822/" }, { "category": "self", "summary": "SUSE CVE CVE-2018-16554 page", "url": "https://www.suse.com/security/cve/CVE-2018-16554/" }, { "category": "self", "summary": "SUSE CVE CVE-2018-17088 page", "url": "https://www.suse.com/security/cve/CVE-2018-17088/" }, { "category": "self", "summary": "SUSE CVE CVE-2018-6612 page", "url": "https://www.suse.com/security/cve/CVE-2018-6612/" }, { "category": "self", "summary": "SUSE CVE CVE-2019-1010301 page", "url": "https://www.suse.com/security/cve/CVE-2019-1010301/" }, { "category": "self", "summary": "SUSE CVE CVE-2019-1010302 page", "url": "https://www.suse.com/security/cve/CVE-2019-1010302/" }, { "category": "self", "summary": "SUSE CVE CVE-2020-6624 page", "url": "https://www.suse.com/security/cve/CVE-2020-6624/" }, { "category": "self", "summary": "SUSE CVE CVE-2020-6625 page", "url": "https://www.suse.com/security/cve/CVE-2020-6625/" }, { "category": "self", "summary": "SUSE CVE CVE-2021-3496 page", "url": "https://www.suse.com/security/cve/CVE-2021-3496/" } ], "title": "Security update for jhead", "tracking": { "current_release_date": "2021-05-16T14:04:45Z", "generator": { "date": "2021-05-16T14:04:45Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2021:0743-1", "initial_release_date": "2021-05-16T14:04:45Z", "revision_history": [ { "date": "2021-05-16T14:04:45Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "jhead-3.06.0.1-lp152.7.6.1.x86_64", "product": { "name": "jhead-3.06.0.1-lp152.7.6.1.x86_64", "product_id": "jhead-3.06.0.1-lp152.7.6.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "openSUSE Leap 15.2", "product": { "name": "openSUSE Leap 15.2", "product_id": "openSUSE Leap 15.2", "product_identification_helper": { "cpe": "cpe:/o:opensuse:leap:15.2" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jhead-3.06.0.1-lp152.7.6.1.x86_64 as component of openSUSE Leap 15.2", "product_id": "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" }, "product_reference": "jhead-3.06.0.1-lp152.7.6.1.x86_64", "relates_to_product_reference": "openSUSE Leap 15.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2016-3822", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2016-3822" } ], "notes": [ { "category": "general", "text": "exif.c in Matthias Wandel jhead 2.87, as used in libjhead in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01, allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds access) via crafted EXIF data, aka internal bug 28868315.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2016-3822", "url": "https://www.suse.com/security/cve/CVE-2016-3822" }, { "category": "external", "summary": "SUSE Bug 1108480 for CVE-2016-3822", "url": "https://bugzilla.suse.com/1108480" }, { "category": "external", "summary": "SUSE Bug 1108672 for CVE-2016-3822", "url": "https://bugzilla.suse.com/1108672" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-05-16T14:04:45Z", "details": "low" } ], "title": "CVE-2016-3822" }, { "cve": "CVE-2018-16554", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2018-16554" } ], "notes": [ { "category": "general", "text": "The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2018-16554", "url": "https://www.suse.com/security/cve/CVE-2018-16554" }, { "category": "external", "summary": "SUSE Bug 1108480 for CVE-2018-16554", "url": "https://bugzilla.suse.com/1108480" }, { "category": "external", "summary": "SUSE Bug 1108672 for CVE-2018-16554", "url": "https://bugzilla.suse.com/1108672" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-05-16T14:04:45Z", "details": "low" } ], "title": "CVE-2018-16554" }, { "cve": "CVE-2018-17088", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2018-17088" } ], "notes": [ { "category": "general", "text": "The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because there is an integer overflow during a check for whether a location exceeds the EXIF data length. This is analogous to the CVE-2016-3822 integer overflow in exif.c. This gpsinfo.c vulnerability is unrelated to the CVE-2018-16554 gpsinfo.c vulnerability.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2018-17088", "url": "https://www.suse.com/security/cve/CVE-2018-17088" }, { "category": "external", "summary": "SUSE Bug 1108480 for CVE-2018-17088", "url": "https://bugzilla.suse.com/1108480" }, { "category": "external", "summary": "SUSE Bug 1108672 for CVE-2018-17088", "url": "https://bugzilla.suse.com/1108672" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-05-16T14:04:45Z", "details": "low" } ], "title": "CVE-2018-17088" }, { "cve": "CVE-2018-6612", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2018-6612" } ], "notes": [ { "category": "general", "text": "An integer underflow bug in the process_EXIF function of the exif.c file of jhead 3.00 raises a heap-based buffer over-read when processing a malicious JPEG file, which may allow a remote attacker to cause a denial-of-service attack or unspecified other impact.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2018-6612", "url": "https://www.suse.com/security/cve/CVE-2018-6612" }, { "category": "external", "summary": "SUSE Bug 1079349 for CVE-2018-6612", "url": "https://bugzilla.suse.com/1079349" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-05-16T14:04:45Z", "details": "moderate" } ], "title": "CVE-2018-6612" }, { "cve": "CVE-2019-1010301", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2019-1010301" } ], "notes": [ { "category": "general", "text": "jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of service. The component is: gpsinfo.c Line 151 ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2019-1010301", "url": "https://www.suse.com/security/cve/CVE-2019-1010301" }, { "category": "external", "summary": "SUSE Bug 1144316 for CVE-2019-1010301", "url": "https://bugzilla.suse.com/1144316" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-05-16T14:04:45Z", "details": "low" } ], "title": "CVE-2019-1010301" }, { "cve": "CVE-2019-1010302", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2019-1010302" } ], "notes": [ { "category": "general", "text": "jhead 3.03 is affected by: Incorrect Access Control. The impact is: Denial of service. The component is: iptc.c Line 122 show_IPTC(). The attack vector is: the victim must open a specially crafted JPEG file.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2019-1010302", "url": "https://www.suse.com/security/cve/CVE-2019-1010302" }, { "category": "external", "summary": "SUSE Bug 1144354 for CVE-2019-1010302", "url": "https://bugzilla.suse.com/1144354" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-05-16T14:04:45Z", "details": "low" } ], "title": "CVE-2019-1010302" }, { "cve": "CVE-2020-6624", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2020-6624" } ], "notes": [ { "category": "general", "text": "jhead through 3.04 has a heap-based buffer over-read in process_DQT in jpgqguess.c.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2020-6624", "url": "https://www.suse.com/security/cve/CVE-2020-6624" }, { "category": "external", "summary": "SUSE Bug 1160547 for CVE-2020-6624", "url": "https://bugzilla.suse.com/1160547" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-05-16T14:04:45Z", "details": "important" } ], "title": "CVE-2020-6624" }, { "cve": "CVE-2020-6625", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2020-6625" } ], "notes": [ { "category": "general", "text": "jhead through 3.04 has a heap-based buffer over-read in Get32s when called from ProcessGpsInfo in gpsinfo.c.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2020-6625", "url": "https://www.suse.com/security/cve/CVE-2020-6625" }, { "category": "external", "summary": "SUSE Bug 1160544 for CVE-2020-6625", "url": "https://bugzilla.suse.com/1160544" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-05-16T14:04:45Z", "details": "important" } ], "title": "CVE-2020-6625" }, { "cve": "CVE-2021-3496", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-3496" } ], "notes": [ { "category": "general", "text": "A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-3496", "url": "https://www.suse.com/security/cve/CVE-2021-3496" }, { "category": "external", "summary": "SUSE Bug 1184756 for CVE-2021-3496", "url": "https://bugzilla.suse.com/1184756" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "openSUSE Leap 15.2:jhead-3.06.0.1-lp152.7.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-05-16T14:04:45Z", "details": "important" } ], "title": "CVE-2021-3496" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…