Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jhead for openSUSE:Factory checked in at 2023-02-14 16:47:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jhead (Old) and /work/SRC/openSUSE:Factory/.jhead.new.27156 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jhead" Tue Feb 14 16:47:36 2023 rev:30 rq:1065728 version:3.06.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/jhead/jhead.changes 2022-11-12 17:41:38.814338641 +0100 +++ /work/SRC/openSUSE:Factory/.jhead.new.27156/jhead.changes 2023-02-14 16:48:16.183451365 +0100 @@ -1,0 +2,8 @@ +Fri Feb 10 11:13:09 UTC 2023 - pgaj...@suse.com + +- added patches + fix [bsc#1207150] + https://github.com/Matthias-Wandel/jhead/commit/2a237d866581b3774ebe63d6c312e76459bd0866 + + jhead-CVE-2022-41751-3.patch + +------------------------------------------------------------------- New: ---- jhead-CVE-2022-41751-3.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jhead.spec ++++++ --- /var/tmp/diff_new_pack.tbXh2A/_old 2023-02-14 16:48:16.971456019 +0100 +++ /var/tmp/diff_new_pack.tbXh2A/_new 2023-02-14 16:48:16.975456042 +0100 @@ -1,7 +1,7 @@ # # spec file for package jhead # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,6 +34,8 @@ # PATCH FIX UPSTREAM heap-buffer-overflow of exif.c in function Put16u # https://github.com/Matthias-Wandel/jhead/commit/f0a884210cc46830b176f71fd61569adc8f230a7 Patch2: jhead-CVE-2021-34055.patch +# [bsc#1207150], https://github.com/Matthias-Wandel/jhead/commit/2a237d866581b3774ebe63d6c312e76459bd0866 +Patch3: jhead-CVE-2022-41751-3.patch Requires: %{_bindir}/jpegtran Requires: %{_bindir}/mogrify BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ jhead-CVE-2022-41751-3.patch ++++++ Index: jhead-3.06.0.1/jhead.c =================================================================== --- jhead-3.06.0.1.orig/jhead.c +++ jhead-3.06.0.1/jhead.c @@ -766,9 +766,9 @@ static int DoAutoRotate(const char * Fil sprintf(RotateCommand,"jpegtran -trim -%s -outfile \"%s\" \"%s\"", Argument, ThumbTempName_out, ThumbTempName_in); - // Disallow characters in the command that could be used to execute arbitrary + // Disallow characters in the filenames that could be used to execute arbitrary // shell commands with system() below. - if (strpbrk(RotateCommand, "\";'&|`$")) { + if (strpbrk(FileName, "\";'&|`$")) { ErrNonfatal("Command has invalid characters.", 0, 0); unlink(ThumbTempName_in); return FALSE;
