Bug 2293996 (CVE-2022-28550) - CVE-2022-28550 jhead: Buffer Overflow via shellescape() jhead.c
Summary: CVE-2022-28550 jhead: Buffer Overflow via shellescape() jhead.c
Keywords:
Status: NEW
Alias: CVE-2022-28550
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2293998 2293997
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-06-24 21:33 UTC by Patrick Del Bello
Modified: 2024-06-24 21:34 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Patrick Del Bello 2024-06-24 21:33:50 UTC 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 202406-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: JHead: Multiple Vulnerabilities
     Date: June 22, 2024
     Bugs: #876247, #879801, #908519
       ID: 202406-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in JHead, the worst of
which may lead to arbitrary code execution.

Background
==========

JHead is an EXIF JPEG header manipulation tool.

Affected packages
=================

Package          Vulnerable    Unaffected
---------------  ------------  ------------
media-gfx/jhead  < 3.08        >= 3.08

Description
===========

Multiple vulnerabilities have been discovered in JHead. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All JHead users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=media-gfx/jhead-3.08"

References
==========

[ 1 ] CVE-2020-6624
      https://nvd.nist.gov/vuln/detail/CVE-2020-6624
[ 2 ] CVE-2020-6625
      https://nvd.nist.gov/vuln/detail/CVE-2020-6625
[ 3 ] CVE-2021-34055
      https://nvd.nist.gov/vuln/detail/CVE-2021-34055
[ 4 ] CVE-2022-28550
      https://nvd.nist.gov/vuln/detail/CVE-2022-28550
[ 5 ] CVE-2022-41751
      https://nvd.nist.gov/vuln/detail/CVE-2022-41751

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-05

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5
Comment 1 Patrick Del Bello 2024-06-24 21:34:06 UTC 
Created jhead tracking bugs for this issue:

Affects: epel-all [bug 2293998]
Affects: fedora-all [bug 2293997]
Note You need to log in before you can comment on or make changes to this bug.