Bug 1197454 - (CVE-2021-28276) VUL-1: CVE-2021-28276: A Denial of Service vulnerability exists in jhead 3.04 and 3.05 via a wild address read in the ProcessCanonMakerNoteDir function in makernote.c.
(CVE-2021-28276)
VUL-1: CVE-2021-28276: A Denial of Service vulnerability exists in jhead 3.04...
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.3
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/327048/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-24 06:37 UTC by Alexander Bergmann
Modified: 2022-07-25 01:23 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-03-24 06:37:59 UTC
CVE-2021-28276

A Denial of Service vulnerability exists in jhead 3.04 and 3.05 via a wild
address read in the ProcessCanonMakerNoteDir function in makernote.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28276
https://github.com/Matthias-Wandel/jhead/issues/1
Comment 1 OBSbugzilla Bot 2022-07-25 00:40:12 UTC
This is an autogenerated message for OBS integration:
This bug (1197454) was mentioned in
https://build.opensuse.org/request/show/990913 Backports:SLE-15-SP3 / jhead
Comment 2 Stanislav Brabec 2022-07-25 01:23:39 UTC
There is a strange thing in Backports:
openSUSE:Backports:SLE-15:Update contains version 3.00
openSUSE:Backports:SLE-15-SP1:Update contains version 3.00
openSUSE:Backports:SLE-15-SP2:Update contains version 3.06.0.1
openSUSE:Backports:SLE-15-SP3:Update contains version 3.00
openSUSE:Backports:SLE-15-SP4:Update contains version 3.06.0.1, but a slightly different spec than SP2

That is why I suggest to fix this bug by updating all repositories to 3.06.0.1.

It is a binary tool, there are no known incompatibilities.

Submitted 3.06.0.1 for:
openSUSE:Backports:SLE-15-SP3:Update: https://build.opensuse.org/request/show/990913
openSUSE:Backports:SLE-15-SP1:Update: BuildService API error: Server did not define a default maintenance project, can't submit.
openSUSE:Backports:SLE-15:Update: BuildService API error: Server did not define a default maintenance project, can't submit.

If SLE 15 and SP1 are wanted, please tell me where to submit.