| Name | CVE-2020-26208 |
| Description | JHEAD is a simple command line tool for displaying and some manipulation of EXIF header data embedded in Jpeg images from digital cameras. In affected versions there is a heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections. Crafted jpeg images can be provided to the user resulting in a program crash or potentially incorrect exif information retrieval. Users are advised to upgrade. There is no known workaround for this issue. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 972617 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| jhead (PTS) | jessie, jessie (lts) | 1:2.97-1+deb8u2 | vulnerable |
| stretch | 1:3.00-4+deb9u1 | vulnerable |
| buster (security), buster, buster (lts) | 1:3.00-8+deb10u1 | vulnerable |
| bullseye (security), bullseye | 1:3.04-6+deb11u1 | fixed |
| bookworm | 1:3.06.0.1-6 | fixed |
| sid, trixie | 1:3.08-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| jhead | source | (unstable) | 1:3.04-6 | unimportant | | 972617 |
Notes
https://github.com/Matthias-Wandel/jhead/commit/5186ddcf9e35a7aa0ff0539489a930434a1325f4
https://github.com/Matthias-Wandel/jhead/issues/7
https://sources.debian.org/src/jhead/1%3A3.04-6/debian/patches/allocate-extra.patch/
Crash in CLI tool, no security impact