Headline
Ubuntu Security Notice USN-6110-1
Ubuntu Security Notice 6110-1 - It was discovered that Jhead did not properly handle certain crafted Canon images when processing them. An attacker could possibly use this issue to crash Jhead, resulting in a denial of service. It was discovered that Jhead did not properly handle certain crafted images when printing Canon-specific information. An attacker could possibly use this issue to crash Jhead, resulting in a denial of service. It was discovered that Jhead did not properly handle certain crafted images when removing unknown sections. An attacker could possibly use this issue to crash Jhead, resulting in a denial of service.
==========================================================================
Ubuntu Security Notice USN-6110-1
May 29, 2023
Jhead vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
Jhead could be made to crash if it opened a specially crafted
file.
Software Description:
- jhead: Manipulate the non-image part of Exif compliant JPEG files
Details:
It was discovered that Jhead did not properly handle certain crafted Canon
images when processing them. An attacker could possibly use this issue to
crash Jhead, resulting in a denial of service. (CVE-2021-3496)
It was discovered that Jhead did not properly handle certain crafted images
when printing Canon-specific information. An attacker could possibly use this
issue to crash Jhead, resulting in a denial of service. (CVE-2021-28275)
It was discovered that Jhead did not properly handle certain crafted images
when removing unknown sections. An attacker could possibly use this issue to
crash Jhead, resulting in a denial of service. (CVE-2021-28275)
Kyle Brown discovered that Jhead did not properly handle certain crafted
images when editing their comments. An attacker could possibly use this to
crash Jhead, resulting in a denial of service. (LP: #2020068)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
jhead 1:3.06.0.1-6ubuntu0.23.04.1
Ubuntu 22.10:
jhead 1:3.06.0.1-2ubuntu0.22.10.2
Ubuntu 22.04 LTS (Available with Ubuntu Pro):
jhead 1:3.06.0.1-2ubuntu0.22.04.1+esm1
Ubuntu 20.04 LTS (Available with Ubuntu Pro):
jhead 1:3.04-1ubuntu0.2+esm1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
jhead 1:3.00-8~ubuntu0.2+esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
jhead 1:3.00-4+deb9u1ubuntu0.1~esm3
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
jhead 1:2.97-1+deb8u2ubuntu0.1~esm3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6110-1
CVE-2021-28275, CVE-2021-28277, CVE-2021-3496, https://launchpad.net/bugs/2020068
Package Information:
https://launchpad.net/ubuntu/+source/jhead/1:3.06.0.1-6ubuntu0.23.04.1
https://launchpad.net/ubuntu/+source/jhead/1:3.06.0.1-2ubuntu0.22.10.2
Related news
A Denial of Service vulnerability exists in jhead 3.04 and 3.05 due to a wild address read in the Get16u function in exif.c in will cause segmentation fault via a crafted_file.
A Heap-based Buffer Overflow vulnerabilty exists in jhead 3.04 and 3.05 is affected by: Buffer Overflow via the RemoveUnknownSections function in jpgfile.c.
A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.