commit jhead for openSUSE:Factory

Tue, 06 Feb 2018 07:50:54 -0800 

Hello community,

here is the log from the commit of package jhead for openSUSE:Factory checked 
in at 2018-02-06 16:50:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jhead (Old)
 and      /work/SRC/openSUSE:Factory/.jhead.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "jhead"

Tue Feb  6 16:50:36 2018 rev:23 rq:573268 version:3.00

Changes:
--------
--- /work/SRC/openSUSE:Factory/jhead/jhead.changes      2015-04-28 
20:48:09.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.jhead.new/jhead.changes 2018-02-06 
16:50:39.167859399 +0100
@@ -1,0 +2,6 @@
+Mon Feb  5 16:46:47 UTC 2018 - kbabi...@suse.com
+
+- Added CVE-2018-6612.patch: Fix of a heap-based buffer over-read
+  (boo#1079349 CVE-2018-6612)
+
+-------------------------------------------------------------------

New:
----
  CVE-2018-6612.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ jhead.spec ++++++
--- /var/tmp/diff_new_pack.mlF8Bp/_old  2018-02-06 16:50:40.211810511 +0100
+++ /var/tmp/diff_new_pack.mlF8Bp/_new  2018-02-06 16:50:40.215810324 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package jhead
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,6 +25,7 @@
 Url:            http://www.sentex.net/~mwandel/jhead/
 Source0:        http://www.sentex.net/~mwandel/jhead/jhead-%{version}.tar.gz
 Source1:        %{name}.changes
+Patch0:         CVE-2018-6612.patch
 Requires:       %{_bindir}/jpegtran
 Requires:       %{_bindir}/mogrify
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -39,6 +40,7 @@
 
 %prep
 %setup -q
+%patch0 -p1
 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{SOURCE1}")"
 DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
 TIME="\"$(date -d "${modified}" "+%%R")\""

++++++ CVE-2018-6612.patch ++++++
--- jhead-3.00.orig/exif.c
+++ jhead-3.00/exif.c
@@ -1019,7 +1019,7 @@ void process_EXIF (unsigned char * ExifS
 
     FirstOffset = Get32u(ExifSection+12);
     if (FirstOffset < 8 || FirstOffset > 16){
-        if (FirstOffset < 16 || FirstOffset > length-16){
+        if (FirstOffset < 16 || length < 16 || FirstOffset > length-16){
             ErrNonfatal("invalid offset for first Exif IFD value",0,0);
             return;
         }

Reply via email to