Advisories » MGASA-2018-0457

Updated jhead package fixes security vulnerabilities

Publication date: 17 Nov 2018
Modification date: 17 Nov 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-16554 , CVE-2018-17088

Description

The ProcessGpsInfo function may have allowed a remote attacker to cause
a denial-of-service attack or unspecified other impact via a malicious
JPEG file, because of inconsistency between float and double in a
sprintf format string during TAG_GPS_ALT handling (CVE-2018-16554).

The ProcessGpsInfo function may have allowed a remote attacker to cause
a denial-of-service attack or unspecified other impact via a malicious
JPEG file, because there is an integer overflow during a check for
whether a location exceeds the EXIF data length (CVE-2018-17088).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=23676
• https://lists.opensuse.org/opensuse-updates/2018-09/msg00142.html
• https://lists.opensuse.org/opensuse-updates/2018-10/msg00198.html
• https://www.cve.org/CVERecord?id=CVE-2018-16554
• https://www.cve.org/CVERecord?id=CVE-2018-17088

SRPMS

6/core

• jhead-3.00-3.3.mga6