Bug#1022028: jhead: CVE-2022-41751
found 1022028 1:3.00-8 thanks The bugs exist probably since the features were added a long time ago. Let's use the current oldstable version for tracking purposes.
Bug#1022028: jhead: CVE-2022-41751
Hi Jakub, On Wed, Oct 19, 2022 at 10:45:22AM +0200, Jakub Wilk wrote: > * Salvatore Bonaccorso , 2022-10-19 09:53: > > [1] https://github.com/Matthias-Wandel/jhead/pull/57 > > This fix is incomplete: > https://github.com/Matthias-Wandel/jhead/issues/60 Thanks for having reported this upstream. Salvatore
Bug#1022028: jhead: CVE-2022-41751
* Salvatore Bonaccorso , 2022-10-19 09:53: [1] https://github.com/Matthias-Wandel/jhead/pull/57 This fix is incomplete: https://github.com/Matthias-Wandel/jhead/issues/60 -- Jakub Wilk
Bug#1022028: jhead: CVE-2022-41751
Source: jhead Version: 1:3.06.0.1-2 Severity: grave Tags: security upstream Forwarded: https://github.com/Matthias-Wandel/jhead/pull/57 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for jhead. CVE-2022-41751[0]: | Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by | placing them in a JPEG filename and then using the regeneration -rgt50 | option. >From context I'm not yet really conviced we need a DSA for it, as a user needs to be tricked into processing a specially crafted filename. keeping RC severity though to make sure the fix land in bookworm. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-41751 https://www.cve.org/CVERecord?id=CVE-2022-41751 [1] https://github.com/Matthias-Wandel/jhead/pull/57 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
