Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4640 to the following vulnerability: The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and earlier allows local users to delete arbitrary files via vectors involving a modified input filename in which (1) a final "z" character is replaced by a "t" character or (2) a final "t" character is replaced by a "z" character. References: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/271020 http://www.openwall.com/lists/oss-security/2008/10/16/3
debian has released jhead 2.86 which seems to fix this error. http://packages.debian.org/changelogs/pool/main/j/jhead/jhead_2.86-1/changelog.html I will update jhead to 2.86 on all branches.
jhead-2.86-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
jhead-2.86-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-1824 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-1776