Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4641 to the following vulnerability:
The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and
earlier allows attackers to execute arbitrary commands via shell
metacharacters in unspecified input.
Debian bug report contains a proposed patch that implements simple shellescape function that does escaping of the filenames passed to the external programs:
(Patch is not (yet?) upstream, bug also contains further feedback from the upstream author.)
debian has released jhead 2.86 which seems to fix this error.
jhead-2.86-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
jhead-2.86-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: