jhead-3.06.0.1-1.3 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10880-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z jhead-3.06.0.1-1.3 on GA media These are all security issues fixed in the jhead-3.06.0.1-1.3 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10880 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2016-3822/ SUSE CVE CVE-2016-3822 page https://www.suse.com/security/cve/CVE-2018-16554/ SUSE CVE CVE-2018-16554 page https://www.suse.com/security/cve/CVE-2018-17088/ SUSE CVE CVE-2018-17088 page https://www.suse.com/security/cve/CVE-2018-6612/ SUSE CVE CVE-2018-6612 page https://www.suse.com/security/cve/CVE-2021-3496/ SUSE CVE CVE-2021-3496 page openSUSE Tumbleweed jhead-3.06.0.1-1.3 jhead-3.06.0.1-1.3 as a component of openSUSE Tumbleweed exif.c in Matthias Wandel jhead 2.87, as used in libjhead in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01, allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds access) via crafted EXIF data, aka internal bug 28868315. CVE-2016-3822 openSUSE Tumbleweed:jhead-3.06.0.1-1.3 low 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3822.html CVE-2016-3822 https://bugzilla.suse.com/1108480 SUSE Bug 1108480 https://bugzilla.suse.com/1108672 SUSE Bug 1108672 The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling. CVE-2018-16554 openSUSE Tumbleweed:jhead-3.06.0.1-1.3 low 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-16554.html CVE-2018-16554 https://bugzilla.suse.com/1108480 SUSE Bug 1108480 https://bugzilla.suse.com/1108672 SUSE Bug 1108672 The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because there is an integer overflow during a check for whether a location exceeds the EXIF data length. This is analogous to the CVE-2016-3822 integer overflow in exif.c. This gpsinfo.c vulnerability is unrelated to the CVE-2018-16554 gpsinfo.c vulnerability. CVE-2018-17088 openSUSE Tumbleweed:jhead-3.06.0.1-1.3 low 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-17088.html CVE-2018-17088 https://bugzilla.suse.com/1108480 SUSE Bug 1108480 https://bugzilla.suse.com/1108672 SUSE Bug 1108672 An integer underflow bug in the process_EXIF function of the exif.c file of jhead 3.00 raises a heap-based buffer over-read when processing a malicious JPEG file, which may allow a remote attacker to cause a denial-of-service attack or unspecified other impact. CVE-2018-6612 openSUSE Tumbleweed:jhead-3.06.0.1-1.3 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-6612.html CVE-2018-6612 https://bugzilla.suse.com/1079349 SUSE Bug 1079349 A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file. CVE-2021-3496 openSUSE Tumbleweed:jhead-3.06.0.1-1.3 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3496.html CVE-2021-3496 https://bugzilla.suse.com/1184756 SUSE Bug 1184756