GLSA-200901-02 : JHead: Multiple vulnerabilities
Critical Nessus Plugin ID 35346
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200901-02 (JHead: Multiple vulnerabilities)
Marc Merlin and John Dong reported multiple vulnerabilities in JHead:
A buffer overflow in the DoCommand() function when processing the cmd argument and related to potential string overflows (CVE-2008-4575).
An insecure creation of a temporary file (CVE-2008-4639).
A error when unlinking a file (CVE-2008-4640).
Insufficient escaping of shell metacharacters (CVE-2008-4641).
A remote attacker could possibly execute arbitrary code by enticing a user or automated system to open a file with a long filename or via unspecified vectors. It is also possible to trick a user into deleting or overwriting files.
There is no known workaround at this time.
SolutionAll JHead users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=media-gfx/jhead-2.84-r1'