Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jhead for openSUSE:Factory checked in at 2022-11-01 13:42:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jhead (Old) and /work/SRC/openSUSE:Factory/.jhead.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jhead" Tue Nov 1 13:42:29 2022 rev:28 rq:1032523 version:3.06.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/jhead/jhead.changes 2021-04-24 23:10:26.443504051 +0200 +++ /work/SRC/openSUSE:Factory/.jhead.new.2275/jhead.changes 2022-11-01 13:42:39.759926225 +0100 @@ -1,0 +2,8 @@ +Thu Oct 27 16:07:11 UTC 2022 - David Anes <david.a...@suse.com> + +- security fix [bsc#1204409, CVE-2022-41751] + * arbitrary OS commands by placing them in a JPEG filename + * Added patch jhead-CVE-2022-41751-1.patch + * Added patch jhead-CVE-2022-41751-2.patch + +------------------------------------------------------------------- New: ---- jhead-CVE-2022-41751-1.patch jhead-CVE-2022-41751-2.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jhead.spec ++++++ --- /var/tmp/diff_new_pack.aRSKei/_old 2022-11-01 13:42:40.195928545 +0100 +++ /var/tmp/diff_new_pack.aRSKei/_new 2022-11-01 13:42:40.199928566 +0100 @@ -1,7 +1,7 @@ # # spec file for package jhead # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,6 +25,12 @@ URL: http://www.sentex.net/~mwandel/jhead/ Source0: https://github.com/Matthias-Wandel/jhead/archive/refs/tags/%{version}.tar.gz Source1: %{name}.changes +# PATCH FIX UPSTREAM arbitrary OS commands by placing them in a JPEG filename +# https://github.com/Matthias-Wandel/jhead/pull/57 +Patch0: jhead-CVE-2022-41751-1.patch +# PATCH FIX UPSTREAM arbitrary OS commands by placing them in a JPEG filename +# https://github.com/Matthias-Wandel/jhead/commit/ec67262b8e5a4b05d8ad6898a09f1dc3fc032062 +Patch1: jhead-CVE-2022-41751-2.patch Requires: %{_bindir}/jpegtran Requires: %{_bindir}/mogrify BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -39,6 +45,7 @@ %prep %setup -q +%autopatch -p1 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{SOURCE1}")" DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" ++++++ jhead-CVE-2022-41751-1.patch ++++++ Index: jhead-3.06.0.1/jhead.c =================================================================== --- jhead-3.06.0.1.orig/jhead.c +++ jhead-3.06.0.1/jhead.c @@ -782,7 +782,15 @@ static int RegenerateThumbnail(const cha return FALSE; } - sprintf(ThumbnailGenCommand, "mogrify -thumbnail %dx%d -quality 80 \"%s\"", + // Disallow characters in the filename that could be used to execute arbitrary + // shell commands with system() below. + if(strpbrk(FileName, "\";'&|`")) { + ErrNonfatal("Filename has invalid characters.", 0, 0); + return FALSE; + } + + snprintf(ThumbnailGenCommand, sizeof(ThumbnailGenCommand), + "mogrify -thumbnail %dx%d -quality 80 \"%s\"", RegenThumbnail, RegenThumbnail, FileName); if (system(ThumbnailGenCommand) == 0){ ++++++ jhead-CVE-2022-41751-2.patch ++++++ Index: jhead-3.06.0.1/jhead.c =================================================================== --- jhead-3.06.0.1.orig/jhead.c +++ jhead-3.06.0.1/jhead.c @@ -166,6 +166,15 @@ static int FileEditComment(char * TempFi } if (strlen(Editor) > PATH_MAX) ErrFatal("env too long"); + // Disallow characters in the editor or filename that could be used to execute arbitrary + // shell commands with system() below. + if (strpbrk(TempFileName, "\";'&|`$")) { + ErrFatal("Filename has invalid characters"); + } + if (strpbrk(Editor, "\";'&|`$")) { + ErrFatal("Editor has invalid characters"); + } + sprintf(QuotedPath, "%s \"%s\"",Editor, TempFileName); a = system(QuotedPath); } @@ -757,6 +766,14 @@ static int DoAutoRotate(const char * Fil sprintf(RotateCommand,"jpegtran -trim -%s -outfile \"%s\" \"%s\"", Argument, ThumbTempName_out, ThumbTempName_in); + // Disallow characters in the command that could be used to execute arbitrary + // shell commands with system() below. + if (strpbrk(RotateCommand, "\";'&|`$")) { + ErrNonfatal("Command has invalid characters.", 0, 0); + unlink(ThumbTempName_in); + return FALSE; + } + if (system(RotateCommand) == 0){ // Put the thumbnail back in the header ReplaceThumbnail(ThumbTempName_out); @@ -784,7 +801,7 @@ static int RegenerateThumbnail(const cha // Disallow characters in the filename that could be used to execute arbitrary // shell commands with system() below. - if(strpbrk(FileName, "\";'&|`")) { + if(strpbrk(FileName, "\";'&|`$")) { ErrNonfatal("Filename has invalid characters.", 0, 0); return FALSE; }
