Source: jhead
Version: 1:3.06.0.1-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/Matthias-Wandel/jhead/pull/57
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for jhead.

CVE-2022-41751[0]:
| Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by
| placing them in a JPEG filename and then using the regeneration -rgt50
| option.

>From context I'm not yet really conviced we need a DSA for it, as a
user needs to be tricked into processing a specially crafted filename.
keeping RC severity though to make sure the fix land in bookworm.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-41751
    https://www.cve.org/CVERecord?id=CVE-2022-41751
[1] https://github.com/Matthias-Wandel/jhead/pull/57

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to