Your message dated Sat, 03 Feb 2018 10:04:42 +0000 with message-id <[email protected]> and subject line Bug#889272: fixed in jhead 1:3.00-6 has caused the Debian Bug report #889272, regarding jhead: heap buffer overflow while running jhead to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 889272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889272 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: jhead Version: 1:3.00-5 Severity: important Tags: security heap buffer overflow running jhead with "poc" option Running 'jhead poc' with the attached file raises heap buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow june@june:~/temp/report/jhead/00013658$ ../../binary/jhead-3.00/jhead ./poc ================================================================= ==10024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efff at pc 0x555555570af5 bp 0x7ffffffef920 sp 0x7ffffffef918 READ of size 1 at 0x60200000efff thread T0 #0 0x555555570af4 in Get32s exif.c:337 #1 0x555555570af4 in Get32u exif.c:365 #2 0x555555570af4 in process_EXIF exif.c:1021 #3 0x555555568506 in ReadJpegSections jpgfile.c:287 #4 0x555555568a05 in ReadJpegSections jpgfile.c:126 #5 0x555555568a05 in ReadJpegFile jpgfile.c:375 #6 0x555555564af3 in ProcessFile jhead.c:896 #7 0x555555562608 in main jhead.c:1729 #8 0x7ffff67bb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #9 0x555555563a19 in _start (/home/june/temp/report/binary/jhead-3.00/jhead+0xfa19) 0x60200000efff is located 0 bytes to the right of 15-byte region [0x60200000eff0,0x60200000efff) allocated by thread T0 here: #0 0x7ffff6effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x555555567b36 in ReadJpegSections jpgfile.c:173 SUMMARY: AddressSanitizer: heap-buffer-overflow exif.c:337 in Get32s Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[07] 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==10024==ABORTING This bug was found with a fuzzer developed by 'SoftSec' group at KAIST -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages jhead depends on: ii libc6 2.24-11+deb9u1 ii libjpeg-turbo-progs 1:1.5.1-2 jhead recommends no packages. Versions of packages jhead suggests: ii imagemagick 8:6.9.7.4+dfsg-11+deb9u4 ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11+deb9u4 -- no debconf information
--- End Message ---
--- Begin Message ---Source: jhead Source-Version: 1:3.00-6 We believe that the bug you reported is fixed in the latest version of jhead, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ludovic Rousseau <[email protected]> (supplier of updated jhead package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 03 Feb 2018 10:46:05 +0100 Source: jhead Binary: jhead Architecture: source amd64 Version: 1:3.00-6 Distribution: unstable Urgency: medium Maintainer: Ludovic Rousseau <[email protected]> Changed-By: Ludovic Rousseau <[email protected]> Description: jhead - manipulate the non-image part of Exif compliant JPEG files Closes: 889272 Changes: jhead (1:3.00-6) unstable; urgency=medium . * Reformat patches for gbp pq * Fix heap buffer overflow (Closes: #889272) Checksums-Sha1: 9124e7695eb499b3bd17f138468467da0096b823 1842 jhead_3.00-6.dsc 0443593e68e9e7b33f6ee0612d852d6e7f86c722 8252 jhead_3.00-6.debian.tar.xz 389deaea6a42a00a69908ccb4551fb0d1c3ae13a 61568 jhead-dbgsym_3.00-6_amd64.deb c9c62433962c0744d018a8f50d6fc8cc7902994e 6253 jhead_3.00-6_amd64.buildinfo 44a67f24fd0b3aa4307fc34580570f49d0ded7c3 48816 jhead_3.00-6_amd64.deb Checksums-Sha256: adbb29dbceffb2ac415abeeb41733e2124c4b5068c4bf9c8258998264f0c7fb2 1842 jhead_3.00-6.dsc 7ba8cd13f46c058f94591019a9be676f6d094103b403eb8eee1b14434069f806 8252 jhead_3.00-6.debian.tar.xz 95330a4f7106cf1af70f62fffa6b6dd44ac0cbb239eb7e46a03f75a0de59402b 61568 jhead-dbgsym_3.00-6_amd64.deb 2468657e12d73b5808f985c50434654eba1a164ef0fd36f05ad6d24662f010f5 6253 jhead_3.00-6_amd64.buildinfo 6b70b9c549cfeffa7ba1d3b978a054d075d9f2899dae15509fe933c90e477513 48816 jhead_3.00-6_amd64.deb Files: bf918064779becc674169d6f7f93a934 1842 graphics optional jhead_3.00-6.dsc 6bd99a783605a073e580e22b4ca3a524 8252 graphics optional jhead_3.00-6.debian.tar.xz a15da9f66ea56f1ff7e52d95a12c69d1 61568 debug optional jhead-dbgsym_3.00-6_amd64.deb 2b2f845f48f8662d6817e518d1818aab 6253 graphics optional jhead_3.00-6_amd64.buildinfo 3b97837a930f752cf8a7241dcd7eabdc 48816 graphics optional jhead_3.00-6_amd64.deb -----BEGIN PGP SIGNATURE----- iQJIBAEBCAAyFiEE9eEbn/6REUb0HZU9eKG03+j5xX4FAlp1hkcUHHJvdXNzZWF1 QGRlYmlhbi5vcmcACgkQeKG03+j5xX5/6hAAmjWioztAuUn6Y/2syZwhjVVMjYmK p9F+I0CEJQbEN3MNXb/JR5+yJ+3DXEn/eDEr9h+dRli0WIqTj2SpVPIZA8irg7r8 FyHZVFigGq32aTdZsbiWYuFM1pyvPSepXxLgeKZVwQYxD9BGcEr5hnuE6wV+tQge LBNwuDptXcCi53qENGNHt2YJf4JIvKTHTk0WiknJsLIBxh5O8r/HpXGvLvFuEVPQ g4HHKS/4/Jibpw9qih4WVj12D8w6NmNlHl8hN6ukqEkPWXGPvqObNNAhu8y7Ge6t NN4o4uPKQ2xkOFHfoQRkzwQ+fncr+UPuoffg9xa3ZNJ6qvLKho1is3slVXK+i6KG rIchdlVZWTeP2eJYmvKB8IsyT+b73lhLzYHPfZcpgb4EReWYkclXtZN74aB3vUge 4/v9h0x/cQpY7n3A6FLVg7yuc3nttVLovzJfpnE2SE1ZDVJjerJb+L35oTCklTOe cUM8y3Qsi1Sb3sNbq3dTYS3Oq/CYAe04AaX6+RhXBpLgE9Ej50ySA41w/Fc0jQlp Pqv2HLzQ+RytB7bcUq2rKPBFfOY80GFHupmeED3xfmQde0AspkIbbkmcjZbxTUtS mit7VkMH3mZM7qMIvP+qUWAbwc9wcE0S+acUeyhmyRSOmzwnu4yI7La+aAeYBXPQ QIfKWY6hjkm6vbY= =wKqC -----END PGP SIGNATURE-----
--- End Message ---

