File jhead-CVE-2022-41751-2.patch of Package jhead.17743
Index: jhead-3.06.0.1/jhead.c
===================================================================
--- jhead-3.06.0.1.orig/jhead.c
+++ jhead-3.06.0.1/jhead.c
@@ -166,6 +166,15 @@ static int FileEditComment(char * TempFi
}
if (strlen(Editor) > PATH_MAX) ErrFatal("env too long");
+ // Disallow characters in the editor or filename that could be used to execute arbitrary
+ // shell commands with system() below.
+ if (strpbrk(TempFileName, "\";'&|`$")) {
+ ErrFatal("Filename has invalid characters");
+ }
+ if (strpbrk(Editor, "\";'&|`$")) {
+ ErrFatal("Editor has invalid characters");
+ }
+
sprintf(QuotedPath, "%s \"%s\"",Editor, TempFileName);
a = system(QuotedPath);
}
@@ -757,6 +766,14 @@ static int DoAutoRotate(const char * Fil
sprintf(RotateCommand,"jpegtran -trim -%s -outfile \"%s\" \"%s\"",
Argument, ThumbTempName_out, ThumbTempName_in);
+ // Disallow characters in the command that could be used to execute arbitrary
+ // shell commands with system() below.
+ if (strpbrk(RotateCommand, "\";'&|`$")) {
+ ErrNonfatal("Command has invalid characters.", 0, 0);
+ unlink(ThumbTempName_in);
+ return FALSE;
+ }
+
if (system(RotateCommand) == 0){
// Put the thumbnail back in the header
ReplaceThumbnail(ThumbTempName_out);
@@ -784,7 +801,7 @@ static int RegenerateThumbnail(const cha
// Disallow characters in the filename that could be used to execute arbitrary
// shell commands with system() below.
- if(strpbrk(FileName, "\";'&|`")) {
+ if(strpbrk(FileName, "\";'&|`$")) {
ErrNonfatal("Filename has invalid characters.", 0, 0);
return FALSE;
}