Your message dated Sun, 31 May 2009 15:47:03 +0000
with message-id <[email protected]>
and subject line Bug#530401: fixed in jhead 2.875-2
has caused the Debian Bug report #530401,
regarding jhead: segmentation fault on corrupt input file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
530401: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530401
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: jhead
Version: 2.84-2
Severity: normal
Using the zzuf fuzzer, it is fairly easy to get jhead to crash
with a segmentation fault. I guess this is due to lack of
validation of various exif header fields.
Here's an example:
(good file) http://www.noloop.net/bugs/jhead/001/hello.jpeg
Corrupted with "zzuf -c -v -s 148 cat hello.jpeg > hello-s148.jpeg":
(corrupt file) http://www.noloop.net/bugs/jhead/001/hello-s148.jpeg
gdb trace (when running against a non-stripped binary compiled
from the jhead source deb):
jhead-2.84/jhead hello-s148.jpeg
Nonfatal Error : 'hello-s148.jpeg' Suspicious offset of first IFD value
Program received signal SIGSEGV, Segmentation fault.
0x0804cc30 in Get16u (Short=0x865e1c1) at exif.c:319
319 return (((uchar *)Short)[1] << 8) | ((uchar *)Short)[0];
#0 0x0804cc30 in Get16u (Short=0x865e1c1) at exif.c:319
No locals.
#1 0x0804d0a3 in ProcessExifDir (DirStart=0x865e1c1 <Address 0x865e1c1 out of
bounds>,
OffsetBase=0x825e1b8 "II*", ExifLength=126, NestingLevel=0) at exif.c:464
de = 10
a = -1208602636
NumDirEntries = -1208601216
ThumbnailOffset = 0
ThumbnailSize = 0
IndentString = "\000", ' ' <repeats 24 times>
#2 0x0804e539 in process_EXIF (ExifSection=0x825e1b0 "", length=134) at
exif.c:996
FirstOffset = 4194313
ExifHeader = "Exif\000\000"
#3 0x0804bdc3 in ReadJpegSections (infile=0x825e048, ReadMode=READ_METADATA)
at jpgfile.c:235
marker = 225
ll = 134
lh = 0
Data = (uchar *) 0x825e1b0 ""
itemlen = 134
got = 132
a = 1
HaveCom = 0
#4 0x0804c020 in ReadJpegFile (FileName=0xbfdbc927 "hello-s148.jpeg",
ReadMode=READ_METADATA)
at jpgfile.c:322
infile = (FILE *) 0x825e048
ret = 134516080
#5 0x08049f81 in ProcessFile (FileName=0xbfdbc927 "hello-s148.jpeg") at
jhead.c:815
Modified = 0
ReadMode = READ_METADATA
#6 0x0804b6ee in main (argc=2, argv=0xbfdbad44) at jhead.c:1618
argn = 1
arg = 0xbfdbc927 "hello-s148.jpeg"
I guess in this particular case, the problem is on exif.c circa line 986,
the "FirstOffset" value is taken at face value (although a warning is
printed). Looks like the segfault is caused by an invalid pointer memory read,
so I guess that's not exploitable(?), but I thought I'd report this anyway.
There were also problems with the IPTC parser not validating its length
fields; I forgot to keep an example around, but running zzuf on any .jpeg file
with an IPTC section should reproduce the problem fairly easy.
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.29.4 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=nb_NO.iso88591 (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages jhead depends on:
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libjpeg-progs 6b-14 Programs for manipulating JPEG fil
jhead recommends no packages.
jhead suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: jhead
Source-Version: 2.875-2
We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive:
jhead_2.875-2.diff.gz
to pool/main/j/jhead/jhead_2.875-2.diff.gz
jhead_2.875-2.dsc
to pool/main/j/jhead/jhead_2.875-2.dsc
jhead_2.875-2_amd64.deb
to pool/main/j/jhead/jhead_2.875-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Rousseau <[email protected]> (supplier of updated jhead package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 31 May 2009 17:36:13 +0200
Source: jhead
Binary: jhead
Architecture: source amd64
Version: 2.875-2
Distribution: unstable
Urgency: low
Maintainer: Ludovic Rousseau <[email protected]>
Changed-By: Ludovic Rousseau <[email protected]>
Description:
jhead - manipulate the non-image part of Exif compliant JPEG files
Closes: 530401
Changes:
jhead (2.875-2) unstable; urgency=low
.
* Fix "segmentation fault on corrupt input file" patch from upstream
debian/patches/30_buffer_overflow (Closes: #530401)
Checksums-Sha1:
98da1f261f053e967a1ba61197743db99a85b928 986 jhead_2.875-2.dsc
50d4970f773bc77888918dc5deccccf71aff6d26 5683 jhead_2.875-2.diff.gz
cb6044e4b60cf3d41d9bc1c9e2e4ae9fa08924ce 46760 jhead_2.875-2_amd64.deb
Checksums-Sha256:
3472ac20660be6c54e4b24ae8757627254949dffab95352feebe57eea0d2df53 986
jhead_2.875-2.dsc
0645aa7e6a44cdcfa1cf1d6af1c7afc0e56655ffc8e4985c17b483413bcb8170 5683
jhead_2.875-2.diff.gz
34cfce5169864b9b395c7d1294cf9337807cc38f30def0166bad704528741956 46760
jhead_2.875-2_amd64.deb
Files:
bccf2ea52f296b9195bd929a4caba6b4 986 graphics optional jhead_2.875-2.dsc
c74ee778777ee9ce80a77b15cda6a80d 5683 graphics optional jhead_2.875-2.diff.gz
40aa3725d19a5a2b232787a2c47ac47e 46760 graphics optional
jhead_2.875-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoipG4ACgkQP0qKj+B/HPm4vACeP1dlGQpLq/5YaHqjPSGWm1jL
ZusAn2CgerohZ/nBZc4vFRX6ecDY3SOQ
=IdId
-----END PGP SIGNATURE-----
--- End Message ---
