Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4641 to the following vulnerability: The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and earlier allows attackers to execute arbitrary commands via shell metacharacters in unspecified input. References: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/271020 http://www.openwall.com/lists/oss-security/2008/10/15/5 http://www.openwall.com/lists/oss-security/2008/10/15/6 http://www.openwall.com/lists/oss-security/2008/10/16/3
Debian bug report contains a proposed patch that implements simple shellescape function that does escaping of the filenames passed to the external programs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504194#61 (Patch is not (yet?) upstream, bug also contains further feedback from the upstream author.)
debian has released jhead 2.86 which seems to fix this error.
http://packages.debian.org/changelogs/pool/main/j/jhead/jhead_2.86-1/changelog.html
jhead-2.86-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
jhead-2.86-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-1824 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-1776