{"id":"MGASA-2018-0457","summary":"Updated jhead package fixes security vulnerabilities","details":"The ProcessGpsInfo function may have allowed a remote attacker to cause\na denial-of-service attack or unspecified other impact via a malicious\nJPEG file, because of inconsistency between float and double in a\nsprintf format string during TAG_GPS_ALT handling (CVE-2018-16554).\n\nThe ProcessGpsInfo function may have allowed a remote attacker to cause\na denial-of-service attack or unspecified other impact via a malicious\nJPEG file, because there is an integer overflow during a check for\nwhether a location exceeds the EXIF data length (CVE-2018-17088).\n","modified":"2026-04-16T06:23:50.379141824Z","published":"2018-11-17T22:23:26Z","upstream":["CVE-2018-16554","CVE-2018-17088"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0457.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23676"},{"type":"WEB","url":"https://lists.opensuse.org/opensuse-updates/2018-09/msg00142.html"},{"type":"WEB","url":"https://lists.opensuse.org/opensuse-updates/2018-10/msg00198.html"}],"affected":[{"package":{"name":"jhead","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/jhead?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.00-3.3.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0457.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}