Your message dated Fri, 31 Oct 2008 21:17:36 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#503645: fixed in jhead 2.84-2
has caused the Debian Bug report #503645,
regarding jhead: CVE-2008-4640, CVE-2008-4641 command injection via filename
and insecure file handling
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
503645: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503645
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: jhead
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for jhead.
CVE-2008-4641[0]:
| The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and
| earlier allows attackers to execute arbitrary commands via shell
| metacharacters in unspecified input.
CVE-2008-4640[1]:
| The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and
| earlier allows local users to delete arbitrary files via vectors
| involving a modified input filename in which (1) a final "z" character
| is replaced by a "t" character or (2) a final "t" character is
| replaced by a "z" character.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4641
http://security-tracker.debian.net/tracker/CVE-2008-4641
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4640
http://security-tracker.debian.net/tracker/CVE-2008-4640
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpZA0p3feQET.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: jhead
Source-Version: 2.84-2
We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive:
jhead_2.84-2.diff.gz
to pool/main/j/jhead/jhead_2.84-2.diff.gz
jhead_2.84-2.dsc
to pool/main/j/jhead/jhead_2.84-2.dsc
jhead_2.84-2_amd64.deb
to pool/main/j/jhead/jhead_2.84-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Rousseau <[EMAIL PROTECTED]> (supplier of updated jhead package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 31 Oct 2008 19:53:26 +0100
Source: jhead
Binary: jhead
Architecture: source amd64
Version: 2.84-2
Distribution: unstable
Urgency: high
Maintainer: Ludovic Rousseau <[EMAIL PROTECTED]>
Changed-By: Ludovic Rousseau <[EMAIL PROTECTED]>
Description:
jhead - manipulate the non-image part of Exif compliant JPEG files
Closes: 503645
Changes:
jhead (2.84-2) unstable; urgency=high
.
* urgency high since it fixes a security RC bug: CVE-2008-4641
* debian/patches/11_jhead.c.dpatch: Closes: #503645: jhead: CVE-2008-4641
command injection via filename and insecure file handling
Checksums-Sha1:
840e7f3741dbe7971b4595aa4abbcd17d4f9adee 980 jhead_2.84-2.dsc
40a5243622759368f3ebcd24fcc0acc02741f2b4 6597 jhead_2.84-2.diff.gz
7eb2888ac4834aadfe5c6d544e40b04f3a0323f9 43698 jhead_2.84-2_amd64.deb
Checksums-Sha256:
69dd1b566ba5cedd2ad4d5d03e3dd6e7654bdb4cf86bf4e3462afc5e14cf4eea 980
jhead_2.84-2.dsc
4e905e96ca2949132e7ecc02a9310da1ebe467a12664e687f146fcd784ade592 6597
jhead_2.84-2.diff.gz
ca9c7d28ee18c9a3cda76ca9a3013bc9a6ae559d514f61ee313132be072f2d21 43698
jhead_2.84-2_amd64.deb
Files:
8e00bc64adde8d58561b1a42b8635d2c 980 graphics optional jhead_2.84-2.dsc
15d3b55f006328fcfe0bb72e6c739627 6597 graphics optional jhead_2.84-2.diff.gz
c93f08ad9e6f5ebc221be6cc45775148 43698 graphics optional jhead_2.84-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkLYecACgkQP0qKj+B/HPk0QACeNs/liqlJxZVygD+218FGYzaO
Ui8An27+xRmi+MiTNefnrjO6wEw0PNtT
=6EEy
-----END PGP SIGNATURE-----
--- End Message ---
