Your message dated Sat, 10 Nov 2018 10:42:56 +0000
with message-id <1541846576.3542.38.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.6
has caused the Debian Bug report #911220,
regarding stretch-pu: package jhead/1:3.00-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
911220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911220
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hello,
Some CVE were reported for jhead. I talked to Debian security team.
The security issues are not critical and Salvatore Bonaccorso proposed
to update the package in stable using stretch-pu instead of the security
team.
The issues are already fixed in Debian unstable. I just reused the
patches (from debian/patches/) for stretch-pu.
changes:
* d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088
* d/p/33_fix_908176: Fix CVE-2018-16554
* d/p/34_buffer_overflow: Fix heap buffer overflow
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8),
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru jhead-3.00/debian/changelog jhead-3.00/debian/changelog
--- jhead-3.00/debian/changelog 2017-03-20 19:26:16.000000000 +0000
+++ jhead-3.00/debian/changelog 2018-10-16 08:38:19.000000000 +0000
@@ -1,3 +1,11 @@
+jhead (1:3.00-4.1) stable; urgency=high
+
+ * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088
+ * d/p/33_fix_908176: Fix CVE-2018-16554
+ * d/p/34_buffer_overflow: Fix heap buffer overflow
+
+ -- Ludovic Rousseau <rouss...@debian.org> Tue, 16 Oct 2018 10:38:19 +0200
+
jhead (1:3.00-4) unstable; urgency=medium
* Fix "CVE-2016-3822" Apply patch from Google (Closes: #858213)
diff -Nru jhead-3.00/debian/patches/32_crash_in_gpsinfo
jhead-3.00/debian/patches/32_crash_in_gpsinfo
--- jhead-3.00/debian/patches/32_crash_in_gpsinfo 1970-01-01
00:00:00.000000000 +0000
+++ jhead-3.00/debian/patches/32_crash_in_gpsinfo 2018-10-16
08:33:06.000000000 +0000
@@ -0,0 +1,26 @@
+From: Ludovic Rousseau <rouss...@debian.org>
+Date: Wed Sep 5 15:32:00 CEST 2018
+Subject: Fix heap buffer overflow
+
+Bug-Debian: http://bugs.debian.org/907925
+Description: Fix CVE-2018-17088
+
+--- a/gpsinfo.c
++++ b/gpsinfo.c
+@@ -4,6 +4,7 @@
+ // Matthias Wandel, Dec 1999 - Dec 2002
+ //--------------------------------------------------------------------------
+ #include "jhead.h"
++#include <stdint.h>
+
+ #define MAX_GPS_TAG 0x1e
+
+@@ -101,7 +102,7 @@
+ unsigned OffsetVal;
+ OffsetVal = Get32u(DirEntry+8);
+ // If its bigger than 4 bytes, the dir entry contains an offset.
+- if (OffsetVal+ByteCount > ExifLength){
++ if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount >
ExifLength){
+ // Bogus pointer offset and / or bytecount value
+ ErrNonfatal("Illegal value pointer for Exif gps tag %04x",
Tag,0);
+ continue;
diff -Nru jhead-3.00/debian/patches/33_fix_908176
jhead-3.00/debian/patches/33_fix_908176
--- jhead-3.00/debian/patches/33_fix_908176 1970-01-01 00:00:00.000000000
+0000
+++ jhead-3.00/debian/patches/33_fix_908176 2018-10-16 08:35:19.000000000
+0000
@@ -0,0 +1,19 @@
+From: Ludovic Rousseau <rouss...@debian.org>
+Date: Sat Sep 8 16:19:07 CEST 2018
+Subject: fix heap buffer overflow
+
+Bug-Debian: https://bugs.debian.org/908176
+Description: Fix CVE-2018-16554
+
+--- a/gpsinfo.c
++++ b/gpsinfo.c
+@@ -162,7 +162,8 @@
+ break;
+
+ case TAG_GPS_ALT:
+- sprintf(ImageInfo.GpsAlt + 1, "%.2fm",
++ snprintf(ImageInfo.GpsAlt + 1, sizeof(ImageInfo.GpsAlt) -1,
++ "%.2fm",
+ ConvertAnyFormat(ValuePtr, Format));
+ break;
+ }
diff -Nru jhead-3.00/debian/patches/34_buffer_overflow
jhead-3.00/debian/patches/34_buffer_overflow
--- jhead-3.00/debian/patches/34_buffer_overflow 1970-01-01
00:00:00.000000000 +0000
+++ jhead-3.00/debian/patches/34_buffer_overflow 2018-10-16
08:36:45.000000000 +0000
@@ -0,0 +1,15 @@
+From: Ludovic Rousseau <rouss...@debian.org>
+Date: Sat Sep 8 16:02:23 CEST 2018
+Subject: Fix heap buffer overflow
+
+--- a/jhead.c
++++ b/jhead.c
+@@ -670,7 +670,7 @@
+ NameExtra[0] = 0;
+ }
+
+- sprintf(NewName, "%s%s.jpg", NewBaseName, NameExtra);
++ snprintf(NewName, sizeof(NewName), "%s%s.jpg", NewBaseName,
NameExtra);
+
+ if (!strcmp(FileName, NewName)) break; // Skip if its already this
name.
+
diff -Nru jhead-3.00/debian/patches/series jhead-3.00/debian/patches/series
--- jhead-3.00/debian/patches/series 2017-03-20 19:26:16.000000000 +0000
+++ jhead-3.00/debian/patches/series 2018-10-16 08:37:07.000000000 +0000
@@ -5,3 +5,6 @@
25_makefile
27_documentation
31_CVE-2016-3822
+32_crash_in_gpsinfo
+33_fix_908176
+34_buffer_overflow
--- End Message ---
--- Begin Message ---
Version: 9.6
Hi,
The update referenced by each of these bugs was included in this
morning's stretch point release.
Regards,
Adam
--- End Message ---
