Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections

Related Vulnerabilities: CVE-2021-3496  

Source

Debian Bug report logs - #972617
heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections

version graph

Package: jhead; Maintainer for jhead is Joachim Reichel <reichel@debian.org>; Source for jhead is src:jhead (PTS, buildd, popcon).

Reported by: Fstark <f734222792@gmail.com>

Date: Wed, 21 Oct 2020 10:15:02 UTC

Severity: normal

Found in versions jhead/1:3.04-4, 3.04-4

Fixed in version jhead/1:3.04-6

Done: Stephen Kitt <skitt@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#972617; Package jhead. (Wed, 21 Oct 2020 10:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Fstark <f734222792@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>. (Wed, 21 Oct 2020 10:15:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Fstark <f734222792@gmail.com>
To: submit@bugs.debian.org
Subject: heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections
Date: Wed, 21 Oct 2020 18:13:22 +0800
[Message part 1 (text/plain, inline)]
Package: jhead
Version: 3.04-4

Bug Description

fstark@fstark-virtual-machine:~/jhead$ ./jhead
fuzz1\:id\:000015\,sig\:06\,src\:000476\,time\:412880\,op\:arith8\,pos\:31\,val\:+29
=================================================================
==957==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000efd2 at pc 0x7f6d38f94676 bp 0x7ffd0abe47d0 sp
0x7ffd0abe3f78
READ of size 4 at 0x60200000efd2 thread T0
    #0 0x7f6d38f94675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)
    #1 0x40e810 in ReadJpegSections /home/fstark/jhead/jpgfile.c:285
    #2 0x410e86 in ReadJpegSections /home/fstark/jhead/jpgfile.c:125
    #3 0x410e86 in ReadJpegFile /home/fstark/jhead/jpgfile.c:378
    #4 0x40858b in ProcessFile /home/fstark/jhead/jhead.c:905
    #5 0x402f2c in main /home/fstark/jhead/jhead.c:1756
    #6 0x7f6d3886a83f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #7 0x406708 in _start (/home/fstark/jhead/jhead+0x406708)

0x60200000efd2 is located 0 bytes to the right of 2-byte region
[0x60200000efd0,0x60200000efd2)
allocated by thread T0 here:
    #0 0x7f6d38fb5602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x40e4a8 in ReadJpegSections /home/fstark/jhead/jpgfile.c:172

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcmp
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[02]fa fa fa 02 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==957==ABORTING

[Message part 2 (text/html, inline)]
[poc (2) (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#972617; Package jhead. (Sat, 24 Apr 2021 12:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Stephen Kitt <skitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Sat, 24 Apr 2021 12:45:04 GMT) (full text, mbox, link).

Message #10 received at 972617@bugs.debian.org (full text, mbox, reply):

From: Stephen Kitt <skitt@debian.org>
To: 972617@bugs.debian.org, 986923@bugs.debian.org, 968999@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Salzburg BSP
Date: Sat, 24 Apr 2021 14:40:35 +0200
[Message part 1 (text/plain, inline)]
user debian-release@lists.debian.org
usertags -1 + bsp-2021-04-AT-Salzburg
owner !
thank you

[Message part 2 (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Stephen Kitt <skitt@debian.org> to control@bugs.debian.org. (Sat, 24 Apr 2021 12:57:06 GMT) (full text, mbox, link).

Reply sent to Stephen Kitt <skitt@debian.org>:
You have taken responsibility. (Sat, 24 Apr 2021 13:21:05 GMT) (full text, mbox, link).

Notification sent to Fstark <f734222792@gmail.com>:
Bug acknowledged by developer. (Sat, 24 Apr 2021 13:21:05 GMT) (full text, mbox, link).

Message #17 received at 972617-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 972617-close@bugs.debian.org
Subject: Bug#972617: fixed in jhead 1:3.04-6
Date: Sat, 24 Apr 2021 13:18:31 +0000
Source: jhead
Source-Version: 1:3.04-6
Done: Stephen Kitt <skitt@debian.org>

We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 972617@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Kitt <skitt@debian.org> (supplier of updated jhead package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 24 Apr 2021 14:59:38 +0200
Source: jhead
Architecture: source
Version: 1:3.04-6
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Stephen Kitt <skitt@debian.org>
Closes: 968999 972617 986923
Changes:
 jhead (1:3.04-6) unstable; urgency=medium
 .
   * QA upload (Salzburg BSP).
   * CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
     Closes: #986923.
   * Check IPTC lengths. Closes: #968999.
   * Allocate extra room when reading JPEG sections to avoid overflows.
     Closes: #972617.
Checksums-Sha1:
 0ae3d7282a6f16af02cd3b8cd09f020bdfd1d6cb 1795 jhead_3.04-6.dsc
 106826aa215ee31a20106276ed2d8ee2710e772a 8228 jhead_3.04-6.debian.tar.xz
 ceb4569096b7c3693d793974ccf2b18f68a906be 5924 jhead_3.04-6_source.buildinfo
Checksums-Sha256:
 3d786d1e0d28c01d0f4150760da133c3edf22b898c36d65e3cf5e3911350d2a0 1795 jhead_3.04-6.dsc
 5d7a3616bdcff435a94e5c38f96773390a3cbcca2ce092dcfe401fb8e08776fd 8228 jhead_3.04-6.debian.tar.xz
 a0c7d766d46cab476926d6b386e854ecd2bd0155de0a6584ce548697b21a3eaf 5924 jhead_3.04-6_source.buildinfo
Files:
 4dcb30a76ae37f0e84bf54260ef6f4fb 1795 graphics optional jhead_3.04-6.dsc
 1a2a449376706030f3e0cac8705a3fb5 8228 graphics optional jhead_3.04-6.debian.tar.xz
 3d3ac49429bf3ac85143c773ded4c0ac 5924 graphics optional jhead_3.04-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAmCEFk8ACgkQgNMC9Yht
g5w8wRAAjraN5QuHOnynFQA+579WIGCAX7KuI17ziwZh6PwiVwVTQMu6st5JXAA2
BSe+Capu5ko4nH/Hh0I7qjbLoHPUUDODaldxBhM1GuYjluqnPNwNGWpSc0iKGMgr
kKc/LkCHjvXSG7POH2xcdqJsPXJC8jkNmMiT6+FVqLFj1yGpfyv3v8alHkL/S5cj
fJqe0eS+4RAEF455oowtyImPr27INevG33Ea8C/2+aDH7dHE696CTsR7vw/o4Bmd
cdG3vwwa/8jSjNvSVAl1TK7LbpNx6ITClUUZZRK15UuYsojxQvd8FBAWp6fmG35V
mX986Z/tOIqhXDY0hf0vHSwWJOsPmM2rRgeH3p2mzw0KLt1PU5AcWN6lny2UwNRr
N9eWlOWkZwp5qU5vmztbC8pf06P6KfA539C5x6vOpYBvLRsWQTMoOoV/WToWu4l3
lY1qbRQbscckqzMXUJwmnn/SGtlfsugOxBkRhqWJFbrXLjeh5ql1Rp1Cff5y+N3k
6NSmAbAqTu50Wo1koJrxjMhLlv4H0WYCgcfAcX5DiqaWdiS+zbv2YeAXt0YnxWOt
QihN2VwvzB+eBMFd6OiSE7fvBk5JTq9CycTpBlwCA4Dk7UkQOMaiKC4/61aWelnh
JJhFGhMK5x0PmzgR/N7uOcjFUz2NO9qNWEQlz9xNUSbDcg7Dex4=
=/Q+3
-----END PGP SIGNATURE-----

Marked as found in versions jhead/1:3.04-4. Request was from Paul Gevers <elbrus@debian.org> to control@bugs.debian.org. (Sat, 24 Apr 2021 17:21:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 01 Jun 2021 07:25:40 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Feb 12 12:09:34 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started