Debian Bug report logs -
#889272
jhead: CVE-2018-6612: heap buffer overflow while running jhead
Reported by: Joonun Jang <joonun.jang@gmail.com>
Date: Sat, 3 Feb 2018 07:36:02 UTC
Severity: important
Tags: security, upstream
Found in version jhead/1:3.00-5
Fixed in version jhead/1:3.00-6
Done: Ludovic Rousseau <rousseau@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, joonun.jang@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#889272; Package jhead.
(Sat, 03 Feb 2018 07:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Joonun Jang <joonun.jang@gmail.com>:
New Bug report received and forwarded. Copy sent to joonun.jang@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ludovic Rousseau <rousseau@debian.org>.
(Sat, 03 Feb 2018 07:36:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: jhead
Version: 1:3.00-5
Severity: important
Tags: security
heap buffer overflow running jhead with "poc" option
Running 'jhead poc' with the attached file raises heap buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow
june@june:~/temp/report/jhead/00013658$ ../../binary/jhead-3.00/jhead ./poc
=================================================================
==10024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efff at pc 0x555555570af5 bp 0x7ffffffef920 sp 0x7ffffffef918
READ of size 1 at 0x60200000efff thread T0
#0 0x555555570af4 in Get32s exif.c:337
#1 0x555555570af4 in Get32u exif.c:365
#2 0x555555570af4 in process_EXIF exif.c:1021
#3 0x555555568506 in ReadJpegSections jpgfile.c:287
#4 0x555555568a05 in ReadJpegSections jpgfile.c:126
#5 0x555555568a05 in ReadJpegFile jpgfile.c:375
#6 0x555555564af3 in ProcessFile jhead.c:896
#7 0x555555562608 in main jhead.c:1729
#8 0x7ffff67bb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#9 0x555555563a19 in _start (/home/june/temp/report/binary/jhead-3.00/jhead+0xfa19)
0x60200000efff is located 0 bytes to the right of 15-byte region [0x60200000eff0,0x60200000efff)
allocated by thread T0 here:
#0 0x7ffff6effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x555555567b36 in ReadJpegSections jpgfile.c:173
SUMMARY: AddressSanitizer: heap-buffer-overflow exif.c:337 in Get32s
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[07]
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10024==ABORTING
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages jhead depends on:
ii libc6 2.24-11+deb9u1
ii libjpeg-turbo-progs 1:1.5.1-2
jhead recommends no packages.
Versions of packages jhead suggests:
ii imagemagick 8:6.9.7.4+dfsg-11+deb9u4
ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11+deb9u4
-- no debconf information
[poc (image/jpeg, attachment)]
Reply sent
to Ludovic Rousseau <rousseau@debian.org>:
You have taken responsibility.
(Sat, 03 Feb 2018 10:09:07 GMT) (full text, mbox, link).
Notification sent
to Joonun Jang <joonun.jang@gmail.com>:
Bug acknowledged by developer.
(Sat, 03 Feb 2018 10:09:07 GMT) (full text, mbox, link).
Message #10 received at 889272-close@bugs.debian.org (full text, mbox, reply):
Source: jhead
Source-Version: 1:3.00-6
We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889272@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Rousseau <rousseau@debian.org> (supplier of updated jhead package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 03 Feb 2018 10:46:05 +0100
Source: jhead
Binary: jhead
Architecture: source amd64
Version: 1:3.00-6
Distribution: unstable
Urgency: medium
Maintainer: Ludovic Rousseau <rousseau@debian.org>
Changed-By: Ludovic Rousseau <rousseau@debian.org>
Description:
jhead - manipulate the non-image part of Exif compliant JPEG files
Closes: 889272
Changes:
jhead (1:3.00-6) unstable; urgency=medium
.
* Reformat patches for gbp pq
* Fix heap buffer overflow (Closes: #889272)
Checksums-Sha1:
9124e7695eb499b3bd17f138468467da0096b823 1842 jhead_3.00-6.dsc
0443593e68e9e7b33f6ee0612d852d6e7f86c722 8252 jhead_3.00-6.debian.tar.xz
389deaea6a42a00a69908ccb4551fb0d1c3ae13a 61568 jhead-dbgsym_3.00-6_amd64.deb
c9c62433962c0744d018a8f50d6fc8cc7902994e 6253 jhead_3.00-6_amd64.buildinfo
44a67f24fd0b3aa4307fc34580570f49d0ded7c3 48816 jhead_3.00-6_amd64.deb
Checksums-Sha256:
adbb29dbceffb2ac415abeeb41733e2124c4b5068c4bf9c8258998264f0c7fb2 1842 jhead_3.00-6.dsc
7ba8cd13f46c058f94591019a9be676f6d094103b403eb8eee1b14434069f806 8252 jhead_3.00-6.debian.tar.xz
95330a4f7106cf1af70f62fffa6b6dd44ac0cbb239eb7e46a03f75a0de59402b 61568 jhead-dbgsym_3.00-6_amd64.deb
2468657e12d73b5808f985c50434654eba1a164ef0fd36f05ad6d24662f010f5 6253 jhead_3.00-6_amd64.buildinfo
6b70b9c549cfeffa7ba1d3b978a054d075d9f2899dae15509fe933c90e477513 48816 jhead_3.00-6_amd64.deb
Files:
bf918064779becc674169d6f7f93a934 1842 graphics optional jhead_3.00-6.dsc
6bd99a783605a073e580e22b4ca3a524 8252 graphics optional jhead_3.00-6.debian.tar.xz
a15da9f66ea56f1ff7e52d95a12c69d1 61568 debug optional jhead-dbgsym_3.00-6_amd64.deb
2b2f845f48f8662d6817e518d1818aab 6253 graphics optional jhead_3.00-6_amd64.buildinfo
3b97837a930f752cf8a7241dcd7eabdc 48816 graphics optional jhead_3.00-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEE9eEbn/6REUb0HZU9eKG03+j5xX4FAlp1hkcUHHJvdXNzZWF1
QGRlYmlhbi5vcmcACgkQeKG03+j5xX5/6hAAmjWioztAuUn6Y/2syZwhjVVMjYmK
p9F+I0CEJQbEN3MNXb/JR5+yJ+3DXEn/eDEr9h+dRli0WIqTj2SpVPIZA8irg7r8
FyHZVFigGq32aTdZsbiWYuFM1pyvPSepXxLgeKZVwQYxD9BGcEr5hnuE6wV+tQge
LBNwuDptXcCi53qENGNHt2YJf4JIvKTHTk0WiknJsLIBxh5O8r/HpXGvLvFuEVPQ
g4HHKS/4/Jibpw9qih4WVj12D8w6NmNlHl8hN6ukqEkPWXGPvqObNNAhu8y7Ge6t
NN4o4uPKQ2xkOFHfoQRkzwQ+fncr+UPuoffg9xa3ZNJ6qvLKho1is3slVXK+i6KG
rIchdlVZWTeP2eJYmvKB8IsyT+b73lhLzYHPfZcpgb4EReWYkclXtZN74aB3vUge
4/v9h0x/cQpY7n3A6FLVg7yuc3nttVLovzJfpnE2SE1ZDVJjerJb+L35oTCklTOe
cUM8y3Qsi1Sb3sNbq3dTYS3Oq/CYAe04AaX6+RhXBpLgE9Ej50ySA41w/Fc0jQlp
Pqv2HLzQ+RytB7bcUq2rKPBFfOY80GFHupmeED3xfmQde0AspkIbbkmcjZbxTUtS
mit7VkMH3mZM7qMIvP+qUWAbwc9wcE0S+acUeyhmyRSOmzwnu4yI7La+aAeYBXPQ
QIfKWY6hjkm6vbY=
=wKqC
-----END PGP SIGNATURE-----
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Feb 2018 21:27:03 GMT) (full text, mbox, link).
Changed Bug title to 'jhead: CVE-2018-6612: heap buffer overflow while running jhead' from 'jhead: heap buffer overflow while running jhead'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Feb 2018 21:27:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#889272; Package jhead.
(Mon, 19 Feb 2018 06:12:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Jaeseung Choi <jschoi17@kaist.ac.kr>:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>.
(Mon, 19 Feb 2018 06:12:12 GMT) (full text, mbox, link).
Message #19 received at 889272@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
For your information, this bug was assigned CVE-2018-6612.
Thank you for the fix.
[Message part 2 (text/html, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 19 Mar 2018 07:28:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 2 03:31:14 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.