Your message dated Wed, 26 Oct 2022 18:52:05 +0000
with message-id <e1onlvv-00fulh...@fasolo.debian.org>
and subject line Bug#1022028: fixed in jhead 1:3.06.0.1-3
has caused the Debian Bug report #1022028,
regarding jhead: CVE-2022-41751
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1022028: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022028
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: jhead
Version: 1:3.06.0.1-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/Matthias-Wandel/jhead/pull/57
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for jhead.
CVE-2022-41751[0]:
| Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by
| placing them in a JPEG filename and then using the regeneration -rgt50
| option.
>From context I'm not yet really conviced we need a DSA for it, as a
user needs to be tricked into processing a specially crafted filename.
keeping RC severity though to make sure the fix land in bookworm.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-41751
https://www.cve.org/CVERecord?id=CVE-2022-41751
[1] https://github.com/Matthias-Wandel/jhead/pull/57
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jhead
Source-Version: 1:3.06.0.1-3
Done: Joachim Reichel <reic...@debian.org>
We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1022...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joachim Reichel <reic...@debian.org> (supplier of updated jhead package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 23 Oct 2022 13:36:55 +0200
Source: jhead
Architecture: source
Version: 1:3.06.0.1-3
Distribution: unstable
Urgency: medium
Maintainer: Joachim Reichel <reic...@debian.org>
Changed-By: Joachim Reichel <reic...@debian.org>
Closes: 1022028
Changes:
jhead (1:3.06.0.1-3) unstable; urgency=medium
.
* Add patch fix_cve_2022_41751 to fix CVE-2022-41751 (Closes: #1022028).
* Add patch fix_cppflags to pick up all hardening flags.
* Update Standards-Version to 4.6.1 (no changes needed).
* Update debian/watch after github website changes.
* Update Vcs-* fields in debian/control.
Checksums-Sha1:
546e4ddd06ddcb20634429775ee0eee08ce35ba4 1827 jhead_3.06.0.1-3.dsc
7af81ef938e7f34fd0d25b6d1a2fefd79b4b9335 8076 jhead_3.06.0.1-3.debian.tar.xz
78c5cd502c97b37460b1907bda15fb257cdaf30b 6185 jhead_3.06.0.1-3_amd64.buildinfo
Checksums-Sha256:
8440f51a5e6eeb4d7990e5ee13ddb48ed82f4f4312d607add34f67834a1fb59d 1827
jhead_3.06.0.1-3.dsc
e45cda87b5dd4e72dbf7ce48d1fead51de47510948fa0abe09c58dec88f9e4ca 8076
jhead_3.06.0.1-3.debian.tar.xz
cc69f9592637f83f75a9fc9e80339048e3726fd3d996307829d56542f337c4ac 6185
jhead_3.06.0.1-3_amd64.buildinfo
Files:
9f2780274c01836f42fa3282c352c298 1827 graphics optional jhead_3.06.0.1-3.dsc
3c430ecd96ab4c004ba25d5e5ed8cda0 8076 graphics optional
jhead_3.06.0.1-3.debian.tar.xz
b7f5f3f7d8483f610950cacac7023cd8 6185 graphics optional
jhead_3.06.0.1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErX6NzLwwsr4xjsEVuPr/HEOIZ3EFAmNZfsUACgkQuPr/HEOI
Z3EI6Q/+N54RCOt5cA8KFgFi/qtwUwqrufK9mRxJBpTBi4nlrZE6uZsCPF2CKkqn
EGaeod6eNeuoYziFpU7Y3SHEQRfCdJIxn+6n2crt7WHqOwkh9LWzohVyQHBwxSmU
rEqp1BZr3mOxgPysALlB4EgEfH1PJIS4kLErVdEIHSDpPUL/Mb1VjotukJXG/z8/
xmJblzDR9H6EtCOR7ehAJS5z754J/v50aSf12TRAqidENEdMX0lvZKk4UF0XLO4F
YlaSGou6M8zedHKboTPDo9Y6iN1b/pZoOAF6ILl6uVsGW9er6l5MhxwKTTTNsyfZ
+6goX+usZDZ9yoTFGDlRTP/b4JLpGCR4EX8cG+pJ9bspPA3UsjUtZdXqW2Spzvem
YKOyT7wDbpodG5lhGmCzKjFcp1lWh8vpfhlGJHPbg5BoyoSNWXKZnQsoJqh09kOg
L90z5YtA8jTNpNoCX8bnYqMxTwa+2auZ9lc/fnQLJ8wBURZSimB/JUGQZdzS1VHi
bVHzXb4VSlbEJ1HekAQenWvGVKMJTu0GS8EvYKBl3kDhT8dHfTttaFOf3Fw1MKzp
ydobIz5t+3lirAxFV0L3k984F2tNRWDMhzaLha/fudhqUvVL8E2UT/hRksDC1d47
niZR7E+RgNTnjbqpw7UUtT9wdzaGtCMp1YL806Nhp6ZOOLksohs=
=yIt7
-----END PGP SIGNATURE-----
--- End Message ---
