Bug#953352: marked as done (Heap-buffer-overflow in jhead-3.04)

Sun, 08 Mar 2020 14:40:11 -0700 

Your message dated Sun, 08 Mar 2020 21:37:31 +0000
with message-id <[email protected]>
and subject line Bug#953352: fixed in jhead 1:3.04-2
has caused the Debian Bug report #953352,
regarding Heap-buffer-overflow in jhead-3.04
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
953352: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953352
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: jhead
Version: 3.04

A heap-buffer-overflow issue was discovered in jhead-3.04:gpsinfo.c:161.

Please run following command to reproduce it,
./jhead poc

Here is the detail log:
$ ./jhead poc

Nonfatal Error : 'poc' Extraneous 10 padding bytes before section E1

Nonfatal Error : 'poc' Illegal value pointer for tag 0100 in Exif

Nonfatal Error : 'poc' Illegal value pointer for tag fe0f in Exif

Nonfatal Error : 'poc' Illegal value pointer for tag 0110 in Exif
=================================================================
==29343==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb5e03e98 at pc 0x08059e85 bp 0xbffbf488 sp 0xbffbf478
READ of size 1 at 0xb5e03e98 thread T0
    #0 0x8059e84 in ProcessGpsInfo /home/test/afl/jhead-3.04/gpsinfo.c:161
    #1 0x8055a15 in ProcessExifDir /home/test/afl/jhead-3.04/exif.c:866
    #2 0x8056260 in process_EXIF /home/test/afl/jhead-3.04/exif.c:1041
    #3 0x804fdb8 in ReadJpegSections /home/test/afl/jhead-3.04/jpgfile.c:287
    #4 0x8050190 in ReadJpegFile /home/test/afl/jhead-3.04/jpgfile.c:379
    #5 0x804cad9 in ProcessFile /home/test/afl/jhead-3.04/jhead.c:905
    #6 0x8049cfa in main /home/test/afl/jhead-3.04/jhead.c:1756
    #7 0xb77b8636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)
    #8 0x804b65b  (/home/test/BinFuzz/jhead+0x804b65b)

AddressSanitizer can not describe address in more detail (wild memory
access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/test/afl/jhead-3.04/gpsinfo.c:161 ProcessGpsInfo
Shadow bytes around the buggy address:
  0x36bc0780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc07a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc07b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc07c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36bc07d0: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc07e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc07f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==29343==ABORTING

This issue was raised by binary-security-lab of Sichuan University, for
fuzzing research work.

Attachment: poc
Description: Binary data


--- End Message ---
--- Begin Message --- 
Source: jhead
Source-Version: 1:3.04-2
Done: Ludovic Rousseau <[email protected]>

We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovic Rousseau <[email protected]> (supplier of updated jhead package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 08 Mar 2020 22:20:20 +0100
Source: jhead
Architecture: source
Version: 1:3.04-2
Distribution: unstable
Urgency: medium
Maintainer: Ludovic Rousseau <[email protected]>
Changed-By: Ludovic Rousseau <[email protected]>
Closes: 953352
Changes:
 jhead (1:3.04-2) unstable; urgency=medium
 .
   * Fix "Heap-buffer-overflow in jhead-3.04" (Closes: #953352)
     patch in d/p/01_gpsinfo.c
   * d/control: Standards-Version: 4.3.0 -> 4.5.0. No change needed
   * d/control: use debhelper-compat (= 12) instead of level 11
   * d/control: add Rules-Requires-Root: no
Checksums-Sha1:
 e1a0665f2e664d173c2f17a9d8824045c6946a6f 1821 jhead_3.04-2.dsc
 412b4288292b1f3f98020af41fc1a2655a822e01 6016 jhead_3.04-2.debian.tar.xz
 15029cda50ec76c16b11ce3bee3821d8b77786d6 5691 jhead_3.04-2_amd64.buildinfo
Checksums-Sha256:
 264f5bf4145e7d7ee4d1b3ca5f3929f875fb66914f2bdf8fce0a4c51b418567f 1821 
jhead_3.04-2.dsc
 158a2d564e323e09ab9963f2c2877731b5fd8531055e885d52d70b0b417a15a7 6016 
jhead_3.04-2.debian.tar.xz
 dc731e0d8c8ea28db1c0b0d60e82769aa3a60100e1a91f08f8ab657deef4cc97 5691 
jhead_3.04-2_amd64.buildinfo
Files:
 4d3b539e55f2d54c0c918bd3a86a0cb2 1821 graphics optional jhead_3.04-2.dsc
 794346ecac8cf8c7278236de4b9ca063 6016 graphics optional 
jhead_3.04-2.debian.tar.xz
 291ba1b706951cf68a8d62c2a5df1e46 5691 graphics optional 
jhead_3.04-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEE9eEbn/6REUb0HZU9eKG03+j5xX4FAl5lYdsUHHJvdXNzZWF1
QGRlYmlhbi5vcmcACgkQeKG03+j5xX5BrRAAhgRSBjtutrK9woMkadI4ikOJhHVK
j3EJNDtu6vxbVwuGg9tZGbKrWb3dvArbXE7i+W+rkNENT9J1uwtS4liWl4WsDvaM
hW49WgDe9kmxKCX2kUP9zR/zVj1KpWzUymPmzgp/gtKZjv3NhXbXm+k2W+iWESTs
jOhP3lgwo+e87lsZZiQl+EjVdD72juToDidwnnA7mr5AaO+6YIN192ExEwEq8buA
OGtSRCglddI7FsCmU+gExCl9u8SSRySUhojhl0bYCmJYWyGBufQmDWeoLPPIaHqU
JR7AgBehKr4MaOKFkKwgaVkLcEkyNXk1FJi448tZ25yDY/npGrzTUXXkkaT6sH12
icIS4hKQ8xeUnilPonCrWKF0aoH6zQX4/VGts2rU9oMvgfKScpSr25Idh/VJ31gZ
L5zOuGP//2tFaXuqKD6FKcWqOKcEV7atXCDPe9zEDKoovCUmz87U9QlMv2rgY4oW
5eo4OkgsvfI0Ur/1TRzOog0QwdLuXVW13d690l18X9XAFt97IRkY6jh5ENPy3G1A
Oqc0MH5YgJH8Ihemmf/C/JgXmBt5YBW3K5GiF0b9emcSwm5ph+iEOCQFp9zwSsYw
RleLhE6Y+prn7HK3lxAXZ3zNCl5kq6eq5u6BDcgzu1EvbrqZMg+dLaKvEppdLkMW
cv/Z/iPvkHumGCk=
=Vt/6
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to