[ MDVSA-2009:041 ] jhead

[dude67]

_______________________________________________________________________

Package : jhead
Date : February 17, 2009
Affected: 2008.0, 2008.1, 2009.0
_______________________________________________________________________

Problem Description:

Security vulnerabilies have been identified and fixed in jhead.

Buffer overflow in the DoCommand function in jhead before 2.84 might
allow context-dependent attackers to cause a denial of service (crash)
(CVE-2008-4575).

Jhead before 2.84 allows local users to overwrite arbitrary files
via a symlink attack on a temporary file (CVE-2008-4639).

Jhead 2.84 and earlier allows local users to delete arbitrary files
via vectors involving a modified input filename (CVE-2008-4640).

jhead 2.84 and earlier allows attackers to execute arbitrary commands
via shell metacharacters in unspecified input (CVE-2008-4641).

This update provides the latest Jhead to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-4575
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-4639
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-4640
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-4641
_______________________________________________________________________