Hello community, here is the log from the commit of package jhead for openSUSE:Factory checked in at Fri Jan 9 14:43:52 CET 2009. -------- --- jhead/jhead.changes 2008-10-16 11:51:04.000000000 +0200 +++ /mounts/work_src_done/STABLE/jhead/jhead.changes 2009-01-05 18:40:01.000000000 +0100 @@ -1,0 +2,7 @@ +Mon Jan 5 18:12:13 CET 2009 - sbrabec@suse.cz + +- Fixed arbitrary command vulnerability in DoCommand (bnc#435979, + CVE-2008-4641). +- Fixed dependencies. + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- jhead-DoCommand.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jhead.spec ++++++ --- /var/tmp/diff_new_pack.C29024/_old 2009-01-09 14:43:44.000000000 +0100 +++ /var/tmp/diff_new_pack.C29024/_new 2009-01-09 14:43:44.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package jhead (Version 2.84) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,15 +19,16 @@ Name: jhead -License: Public Domain, Freeware +License: Public Domain, Freeware; Public Domain. See http://www.sentex.ca/~mwandel/jhead/ Group: Productivity/Graphics/Other AutoReqProv: on Version: 2.84 -Release: 1 -Requires: %{_bindir}/jpegtran +Release: 2 +Requires: %{_bindir}/jpegtran %{_bindir}/mogrify Summary: Tool to Manipulate the Nonimage Part of EXIF Compliant JPEG Files Url: http://www.sentex.net/~mwandel/jhead/ Source: %{name}-%{version}.tar.bz2 +Patch: jhead-DoCommand.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -46,6 +47,7 @@ %prep %setup -q +%patch # Let RPM compress it according to actual policy. gunzip jhead.1.gz @@ -68,6 +70,10 @@ %doc %{_mandir}/man1/*.* %changelog +* Mon Jan 05 2009 sbrabec@suse.cz +- Fixed arbitrary command vulnerability in DoCommand (bnc#435979, + CVE-2008-4641). +- Fixed dependencies. * Thu Oct 16 2008 sbrabec@suse.cz - Updated to version 2.84: * Decode more exif tags for '-v' mode. ++++++ jhead-DoCommand.patch ++++++ --- jhead.c +++ jhead.c @@ -295,37 +295,81 @@ //-------------------------------------------------------------------------- +// Escape an argument such that it is interpreted literally by the shell +// (returns the number of written characters) +//-------------------------------------------------------------------------- +static int shellescape(char* to, const char* from) +{ + int i, j; + i = j = 0; + + // Enclosing characters in double quotes preserves the literal value of + // all characters within the quotes, with the exception of $, `, and \. + to[j++] = '"'; + while(from[i]) + { +#ifdef _WIN32 + // Under WIN32, there isn't really anything dangerous you can do with + // escape characters, plus windows users aren't as sercurity paranoid. + // Hence, no need to do fancy escaping. + to[j++] = from[i++]; +#else + switch(from[i]) { + case '"': + case '$': + case '`': + case '\\': + to[j++] = '\\'; + default: + to[j++] = from[i++]; + } +#endif + if (j >= PATH_MAX) ErrFatal("max path exceeded"); + } + to[j++] = '"'; + return j; +} + + +//-------------------------------------------------------------------------- // Apply the specified command to the JPEG file. //-------------------------------------------------------------------------- static void DoCommand(const char * FileName, int ShowIt) { int a,e; - char ExecString[PATH_MAX*2]; - char TempName[PATH_MAX+1]; + char ExecString[PATH_MAX*3]; + char TempName[PATH_MAX+10]; int TempUsed = FALSE; e = 0; - // Make a temporary file in the destination directory by changing last char. - strcpy(TempName, FileName); - a = strlen(TempName)-1; - TempName[a] = (char)(TempName[a] == 't' ? 'z' : 't'); + // Generate an unused temporary file name in the destination directory + // (a is the number of characters to copy from FileName) + a = strlen(FileName)-1; + while(a > 0 && FileName[a-1] != '/') a--; + memcpy(TempName, FileName, a); + strcpy(TempName+a, "XXXXXX"); + mkstemp(TempName); + if(!TempName[0]) { + ErrFatal("Cannot find available temporary file name"); + } + + // Build the exec string. &i and &o in the exec string get replaced by input and output files. for (a=0;;a++){ if (ApplyCommand[a] == '&'){ if (ApplyCommand[a+1] == 'i'){ // Input file. - e += sprintf(ExecString+e, "\"%s\"",FileName); + e += shellescape(ExecString+e, FileName); a += 1; continue; } if (ApplyCommand[a+1] == 'o'){ // Needs an output file distinct from the input file. - e += sprintf(ExecString+e, "\"%s\"",TempName); + e += shellescape(ExecString+e, TempName); a += 1; TempUsed = TRUE; - unlink(TempName);// Remove any pre-existing temp file continue; } } @@ -638,7 +682,7 @@ ErrFatal("Orientation screwup"); } - sprintf(RotateCommand, "jpegtran -%s -outfile &o &i", Argument); + sprintf(RotateCommand, "jpegtran -trim -%s -outfile &o &i", Argument); ApplyCommand = RotateCommand; DoCommand(FileName, FALSE); ApplyCommand = NULL; @@ -657,7 +701,7 @@ strcpy(ThumbTempName_out, FileName); strcat(ThumbTempName_out, ".tho"); SaveThumbnail(ThumbTempName_in); - sprintf(RotateCommand,"jpegtran -%s -outfile \"%s\" \"%s\"", + sprintf(RotateCommand,"jpegtran -trim -%s -outfile \"%s\" \"%s\"", Argument, ThumbTempName_out, ThumbTempName_in); if (system(RotateCommand) == 0){ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org