Bug#986923: jhead: CVE-2021-3496

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#986923: jhead: CVE-2021-3496
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 14 Apr 2021 14:10:14 +0200
Message-id: <[🔎] 161840221488.1741635.11009465283935165795.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 986923@bugs.debian.org

Source: jhead
Version: 1:3.04-5
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/Matthias-Wandel/jhead/issues/33
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for jhead.

CVE-2021-3496[0]:
| heap-based buffer overflow in Get16u() in exif.c

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3496
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3496
[1] https://github.com/Matthias-Wandel/jhead/issues/33
[2] https://github.com/Matthias-Wandel/jhead/commit/ca2973f4ce79279c15a09cf400648a757c1721b0

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#986923: Salzburg BSP
  - From: Stephen Kitt <skitt@debian.org>
- Bug#986923: marked as done (jhead: CVE-2021-3496)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Des résidences placées sous le signe de l'excellence à partir de 1M DHS
Next by Date: Bug#986903: marked as done (python3-zope.testrunner: bcep file does not work with buster's py3compile)
Previous by thread: Bug#986903: marked as done (python3-zope.testrunner: bcep file does not work with buster's py3compile)
Next by thread: Bug#986923: Salzburg BSP
Index(es):
- Date
- Thread