Package: exifprobe Version: 2.0.1+git20201230.eee65ff-2 Severity: important X-Debbugs-Cc: [email protected]
Dear Maintainer, During fuzz testing of exifprobe, a buffer overflow was discovered that prevents the program from functioning correctly. Build options ``` git clone https://salsa.debian.org/pkg-security-team/exifprobe.git cd exifprobe CC="clang -fsanitize=address -g" CXX="clang++ -fsanitize=address -g" make ``` ASAN Log ``` ==530==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000eca760 at pc 0x00000042f862 bp 0x7ffcf73164d0 sp 0x7ffcf7315c88 READ of size 8193 at 0x000000eca760 thread T0 #0 0x42f861 in strndup /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:397:3 #1 0x506c55 in strdup_value /root/exifprobe/misc.c:105:19 #2 0x4f854a in process_tiff_ifd /root/exifprobe/process.c:419:49 #3 0x4eb32d in main /root/exifprobe/main.c:203:38 ``` The poc file used can be downloaded from the link below. - https://drive.google.com/file/d/1xKhPSN5S6jcprphvlaWy8wvvp6DIuW4a/view?usp=drive_link This bug (vulnerability) can lead to a buffer overflow due to the use of the strndup function. Based on a simple analysis, it appears that the issue arises because `entry->count` can take on an excessively large value, which causes the problem. ``` val = strndup(buf, entry->count); //misc.c:105:19 ``` Therefore, it seems necessary to guard the value of entry->count in order to prevent potential security vulnerabilities. -- System Information: Debian Release: 13.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.0-153-generic (SMP w/64 CPU threads) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages exifprobe depends on: ii libc6 2.41-12 exifprobe recommends no packages. exifprobe suggests no packages. -- no debconf information
