Headline
CVE-2022-28550: Merge branch 'master' of git+ssh://192.168.0.20/home/serv/jhead · Matthias-Wandel/jhead@64894db
Matthias-Wandel/jhead jhead 3.06 is vulnerable to Buffer Overflow via shellescape(), jhead.c, jhead. jhead copies strings to a stack buffer when it detects a &i or &o. However, jhead does not check the boundary of the stack buffer. As a result, there will be a stack buffer overflow problem when multiple &i or &o are given.
Expand Up
@@ -401,6 +401,11 @@ static void DoCommand(const char * FileName, int ShowIt)
// Build the exec string. &i and &o in the exec string get replaced by input and output files.
for (a=0;;a++){
if (ApplyCommand[a] == ‘&’){
printf("Arg &%c, e=%d max %d\n",ApplyCommand[a+1], e, PATH_MAX);
if (ApplyCommand[a+1] == ‘i’ || ApplyCommand[a+1] == ‘o’){
if (e > PATH_MAX * 2) ErrFatal(“Specified command line too long”);
}
if (ApplyCommand[a+1] == ‘i’){
// Input file.
e += shellescape(ExecString+e, FileName);
Expand Down
Related news
Gentoo Linux Security Advisory 202406-5 - Multiple vulnerabilities have been discovered in JHead, the worst of which may lead to arbitrary code execution. Versions greater than or equal to 3.08 are affected.