Debian Bug report logs -
#858213
CVE-2016-3822
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 19 Mar 2017 20:54:01 UTC
Severity: grave
Tags: security, upstream
Found in version jhead/1:2.97-1
Fixed in versions jhead/1:3.00-4, jhead/1:2.97-1+deb8u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#858213; Package jhead.
(Sun, 19 Mar 2017 20:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ludovic Rousseau <rousseau@debian.org>.
(Sun, 19 Mar 2017 20:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: jhead
Severity: grave
Tags: security
Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3822
Cheers,
Moritz
Reply sent
to Ludovic Rousseau <rousseau@debian.org>:
You have taken responsibility.
(Mon, 20 Mar 2017 21:09:13 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 20 Mar 2017 21:09:13 GMT) (full text, mbox, link).
Message #10 received at 858213-close@bugs.debian.org (full text, mbox, reply):
Source: jhead
Source-Version: 1:3.00-4
We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 858213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Rousseau <rousseau@debian.org> (supplier of updated jhead package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 Mar 2017 20:26:16 +0100
Source: jhead
Binary: jhead
Architecture: source amd64
Version: 1:3.00-4
Distribution: unstable
Urgency: medium
Maintainer: Ludovic Rousseau <rousseau@debian.org>
Changed-By: Ludovic Rousseau <rousseau@debian.org>
Description:
jhead - manipulate the non-image part of Exif compliant JPEG files
Closes: 858213
Changes:
jhead (1:3.00-4) unstable; urgency=medium
.
* Fix "CVE-2016-3822" Apply patch from Google (Closes: #858213)
* debian/patches/30_spelling: fix another spelling issue reported by
lintian
* debian/control: Standards-Version: 3.9.6 -> 3.9.8. No change needed.
Checksums-Sha1:
42ee624d0ce3707a1f80f9961b599378702e9882 1712 jhead_3.00-4.dsc
8de8634cf8bc73d452106f277c919c4713f2853b 7532 jhead_3.00-4.debian.tar.xz
4e52cfb9e36e4b36ae0032045d6552fa75f544fc 64746 jhead-dbgsym_3.00-4_amd64.deb
5ec603c01bf854ba68c2de4ccf44f0da436866a7 5551 jhead_3.00-4_amd64.buildinfo
c6bef8f5b7203ab57bf1bd74ae06c59d967a706f 48704 jhead_3.00-4_amd64.deb
Checksums-Sha256:
2fb0e174554f71c550aa4a00879f0a24a9da41641a0b47bb0774cd11e62b8cc6 1712 jhead_3.00-4.dsc
d2553bb7e7e47c33fa1136841e4b5bfbad6b92edce1dcad639ab5d74ace606aa 7532 jhead_3.00-4.debian.tar.xz
24a92bfa1ab5485376d6b86e6dee75a30bad97f2cfc3b684922c6e135fe61a85 64746 jhead-dbgsym_3.00-4_amd64.deb
7816a2eb8fd4c1f9d9392c36c1219cc0927666d5d708d70b345e10de499867c5 5551 jhead_3.00-4_amd64.buildinfo
7d9ceb1ebd0f9d37b3fa2cf9a7becf401aa8fae1f5e6a0b70299c54780808e50 48704 jhead_3.00-4_amd64.deb
Files:
b87a90f4f52e91ce74cbcedf8001165a 1712 graphics optional jhead_3.00-4.dsc
0b7ac4a659a63618ef022996bccb8db5 7532 graphics optional jhead_3.00-4.debian.tar.xz
c3cbd013766ea8daa10d0c0c59bb10f8 64746 debug extra jhead-dbgsym_3.00-4_amd64.deb
5df6d9193a2771dbf575eda4b76021e8 5551 graphics optional jhead_3.00-4_amd64.buildinfo
caf455fe932e243c832f514ff28493dd 48704 graphics optional jhead_3.00-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEE9eEbn/6REUb0HZU9eKG03+j5xX4FAljQMUQUHHJvdXNzZWF1
QGRlYmlhbi5vcmcACgkQeKG03+j5xX6+CRAAhWuUb/K3ot54HhHGYZ6cZlf1Lils
ZW4xmRmGCunEJWI9Z6EG+ksm5BfvNJQ0yaL15ClfMbBKKo6u+/qUrarVPqQhCf6O
gEBL6tpLaCAeq/5Y1vBFSuFJn0EMz5Akx+2qdZCMXvz54NakPanWdHVTdtERtMjl
VxJJ6hOCWIqM6/5EvVTBz7I0cX3aZYxpYGyK7g3jiFUDCVGF4M5bEaWLpw+JH4hn
1BfjjeC638vol9fdrGUZiP9YYdtwbBOIFCDo82w3iEnwIEoN0XD9OlswjJ3SV6Td
mVpyfPMdjygQTObQRydGVjcfz0RDjcznfGIlMVrxeh4BaV6Dde0GjAz8u2vygPVY
xdQInkQ9Ix+OewELv/+GUO0sGx/ty8vd3nqR8jFtic1gSHzCzSojjAjIg1njswoM
ewQfioYrwGktw0jVGSBmOK/QPMtBqu6qNBkQ5orSQ/pTWRPrm/O56hrc3P/5DO9c
3dR80JWE/SLZMyq3njD2jctdRuHFxcedzrUnvenlE3EvfRpr/e8C0gXr8N6AICx6
6I6xDqYTRiBPxxR8no1Alsxm6Nv6nTC1brNTVFtlRPNyFqynDYZxLtH1zsfI7L4x
GCiizhvc9pfI52HNLzrBI2JwkFij/KwboKUHNCsCIlnKYhUeeho3e/alMGfBBK1t
Y669QxkOzQv36j8=
=NyYi
-----END PGP SIGNATURE-----
Marked as found in versions jhead/1:2.97-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 31 Mar 2017 07:48:04 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 31 Mar 2017 07:48:06 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 02 Apr 2017 21:06:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 02 Apr 2017 21:06:08 GMT) (full text, mbox, link).
Message #19 received at 858213-close@bugs.debian.org (full text, mbox, reply):
Source: jhead
Source-Version: 1:2.97-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 858213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated jhead package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 31 Mar 2017 16:10:08 +0200
Source: jhead
Binary: jhead
Architecture: source
Version: 1:2.97-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Ludovic Rousseau <rousseau@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 858213
Description:
jhead - manipulate the non-image part of Exif compliant JPEG files
Changes:
jhead (1:2.97-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-3822: Fix possible out of bounds access (Closes: #858213)
Checksums-Sha1:
1a8f92c41652611ad6ce0b5c4919596e115a201a 1866 jhead_2.97-1+deb8u1.dsc
ca4965a19d60078a3fe2cfb6d3635a083f958f2e 68361 jhead_2.97.orig.tar.gz
aca71d2bf42c9d75dd01bcc595aa936926c56c32 6312 jhead_2.97-1+deb8u1.debian.tar.xz
Checksums-Sha256:
3c7270d3c0bb89b211546192eac753282f5d866c80b0fb11a9c98ba802d761d6 1866 jhead_2.97-1+deb8u1.dsc
04b55c5cd27882f631c2b25316803d8ac81c6d2408e6129ca47019c018324f17 68361 jhead_2.97.orig.tar.gz
478a4b6d4eb06b1fcce07f8c4acd6e745ee313c6e5e604f4e792cb50f5c23b0e 6312 jhead_2.97-1+deb8u1.debian.tar.xz
Files:
2c6906d9d0981e26a69ce6fc7e5d1e2f 1866 graphics optional jhead_2.97-1+deb8u1.dsc
23b037d0c54211973a3951e41a97c924 68361 graphics optional jhead_2.97.orig.tar.gz
8488dc4c9072b58ef098dd6e851746eb 6312 graphics optional jhead_2.97-1+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAljeZDhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJZYQAIvsjTOnx+SbIuJWEbETeFapiQiE5pVD
k5uxtYDkx1+NYg6qu7l4qqAGe+YN9vpVFg/Au3DitkfN6mM6eE5Xmx3LrOvHE7Pg
rJpDSNp1zhuSdcE46bwSyNfUrB34gvYlkcKdboAvkPPULHgnsfw+Q1LIXJroP3ZV
FyWy3AoKVBqONE2r/+ayKh+NOmUxuxyiS7sOaUCVvfD3NgRHIyPw59FZ3W8MX+fs
1M9wDI+hSfDXf3sK3R8NfgD9nVgtI+r8F/4ncKbeeDkyqrzV6Ydj4zyiI8pRmosv
rDJ1keNCe7k6J3q2lnxrRA7QLV66HWa1GbYITsVWvHke2tKZ+EulqjkDdZYhb4Pg
cTUkySAxrJRyYU8XlY0bxnfnGgfPdL+MnN1BEEkDdzWblehWEUsjVV5i+OpEyrIT
IxYMGMXo7uEkO9roaTO0kAwzJzrJfyFZbS084vlJNkZh9l7pauqnAWOwcCQgySce
9eBZpD8/6my3BZZvXMuMtKGVN9ZIdAYXv6iIFlGPF+g5NSGFxzgn0il+aumxPbVw
L3qpAGWqizqajCkU1xnBQ+jodpNzsiRWU/NXBPPF98K2SCnp5RfJqPA7kaYKq0lD
VN7PUngfsCMCeQKhDt66m298olOhDNljCsH4j6UGti0CaXVJcRE8ibH3iNtmXXpc
BsTxud3bsBTO
=cY2B
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 07 May 2017 07:26:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:57:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon