Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-1010301: 1679952 – Stack buffer overflow in gpsinfo.c when running jhead

jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of service. The component is: gpsinfo.c Line 151 ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file.

CVE
Open in Source
#linux#debian#dos#c++#buffer_overflow#auth#ibm

Description Jianzhong Liu 2019-02-22 10:34:29 UTC

Created attachment 1537431 [details] Input triggering the bug

Description of problem: Some inputs may trigger a stack buffer overflow in jhead.

Version-Release number of selected component (if applicable): jhead-3.03

How reproducible: Stable

Steps to Reproduce:

  1. Run jhead with the attached input

Actual results: Running with default settings:

jhead SBO_gpsinfo.c:150:17_asan_plain_nocrash

Nonfatal Error : ‘SBO_gpsinfo.c:150:17_asan_plain_nocrash’ Extraneous 11 padding bytes before section E1

Nonfatal Error : ‘SBO_gpsinfo.c:150:17_asan_plain_nocrash’ Extraneous 12 padding bytes before section E1

Nonfatal Error : ‘SBO_gpsinfo.c:150:17_asan_plain_nocrash’ Illegally sized Exif subdirectory (229 entries)

Nonfatal Error : ‘SBO_gpsinfo.c:150:17_asan_plain_nocrash’ Extraneous 10 padding bytes before section E1

Nonfatal Error : ‘SBO_gpsinfo.c:150:17_asan_plain_nocrash’ Illegal number format 35 for tag 0000 in Exif

Nonfatal Error : ‘SBO_gpsinfo.c:150:17_asan_plain_nocrash’ Too many components 2013278224 for tag 0000 in Exif

Nonfatal Error : ‘SBO_gpsinfo.c:150:17_asan_plain_nocrash’ Illegal number format 16 for tag 5132 in Exif

Nonfatal Error : ‘SBO_gpsinfo.c:150:17_asan_plain_nocrash’ Illegal GPS directory link in Exif

Nonfatal Error : ‘SBO_gpsinfo.c:150:17_asan_plain_nocrash’ Illegal number format 16 for Exif gps tag 002a

Nonfatal Error : ‘SBO_gpsinfo.c:150:17_asan_plain_nocrash’ Illegal number format 69 for Exif gps tag 0004

Nonfatal Error : ‘SBO_gpsinfo.c:150:17_asan_plain_nocrash’ Inappropriate format (11) for Exif GPS coordinates! *** buffer overflow detected ***: jhead terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7f0c7ae239e7] /lib64/libc.so.6(+0x115b62)[0x7f0c7ae21b62] /lib64/libc.so.6(+0x11506b)[0x7f0c7ae2106b] /lib64/libc.so.6(+0x506ba)[0x7f0c7ad5c6ba] /lib64/libc.so.6(_IO_vfprintf+0x4ed7)[0x7f0c7ad59357] /lib64/libc.so.6(__vsprintf_chk+0x88)[0x7f0c7ae210f8] /lib64/libc.so.6(__sprintf_chk+0x7d)[0x7f0c7ae2104d] jhead[0x408e1b] jhead[0x406fb5] jhead[0x4071e3] jhead[0x40465b] jhead[0x4047ed] jhead[0x402b5e] jhead[0x4017e4] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f0c7ad2e3d5] jhead[0x402270] ======= Memory map: ======== 00400000-00410000 r-xp 00000000 08:01 3543787 /usr/bin/jhead 00610000-00611000 r–p 00010000 08:01 3543787 /usr/bin/jhead 00611000-00612000 rw-p 00011000 08:01 3543787 /usr/bin/jhead 00612000-00617000 rw-p 00000000 00:00 0 01630000-01651000 rw-p 00000000 00:00 0 [heap] 7f0c7aaf6000-7f0c7ab0b000 r-xp 00000000 08:01 3286373 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f0c7ab0b000-7f0c7ad0a000 —p 00015000 08:01 3286373 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f0c7ad0a000-7f0c7ad0b000 r–p 00014000 08:01 3286373 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f0c7ad0b000-7f0c7ad0c000 rw-p 00015000 08:01 3286373 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f0c7ad0c000-7f0c7aece000 r-xp 00000000 08:01 3286326 /usr/lib64/libc-2.17.so 7f0c7aece000-7f0c7b0ce000 —p 001c2000 08:01 3286326 /usr/lib64/libc-2.17.so 7f0c7b0ce000-7f0c7b0d2000 r–p 001c2000 08:01 3286326 /usr/lib64/libc-2.17.so 7f0c7b0d2000-7f0c7b0d4000 rw-p 001c6000 08:01 3286326 /usr/lib64/libc-2.17.so 7f0c7b0d4000-7f0c7b0d9000 rw-p 00000000 00:00 0 7f0c7b0d9000-7f0c7b1da000 r-xp 00000000 08:01 3286440 /usr/lib64/libm-2.17.so 7f0c7b1da000-7f0c7b3d9000 —p 00101000 08:01 3286440 /usr/lib64/libm-2.17.so 7f0c7b3d9000-7f0c7b3da000 r–p 00100000 08:01 3286440 /usr/lib64/libm-2.17.so 7f0c7b3da000-7f0c7b3db000 rw-p 00101000 08:01 3286440 /usr/lib64/libm-2.17.so 7f0c7b3db000-7f0c7b3fd000 r-xp 00000000 08:01 3286302 /usr/lib64/ld-2.17.so 7f0c7b5f5000-7f0c7b5f8000 rw-p 00000000 00:00 0 7f0c7b5f9000-7f0c7b5fc000 rw-p 00000000 00:00 0 7f0c7b5fc000-7f0c7b5fd000 r–p 00021000 08:01 3286302 /usr/lib64/ld-2.17.so 7f0c7b5fd000-7f0c7b5fe000 rw-p 00022000 08:01 3286302 /usr/lib64/ld-2.17.so 7f0c7b5fe000-7f0c7b5ff000 rw-p 00000000 00:00 0 7ffc6e3ac000-7ffc6e3cd000 rw-p 00000000 00:00 0 [stack] 7ffc6e3df000-7ffc6e3e2000 r–p 00000000 00:00 0 [vvar] 7ffc6e3e2000-7ffc6e3e4000 r-xp 00000000 00:00 0 [vdso] [1] 172 abort (core dumped) jhead SBO_gpsinfo.c:150:17_asan_plain_nocrash

Stack backtrace according to gdb:

#0 0x00007f0c7ad42207 in __GI_raise (sig=sig@entry=6) at …/nptl/sysdeps/unix/sysv/linux/raise.c:55 #1 0x00007f0c7ad438f8 in __GI_abort () at abort.c:90 #2 0x00007f0c7ad84d27 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f0c7ae95312 “*** %s ***: %s terminated\n”) at …/sysdeps/unix/sysv/linux/libc_fatal.c:196 #3 0x00007f0c7ae239e7 in __GI___fortify_fail (msg=msg@entry=0x7f0c7ae952b8 “buffer overflow detected”) at fortify_fail.c:30 #4 0x00007f0c7ae21b62 in __GI___chk_fail () at chk_fail.c:28 #5 0x00007f0c7ae2106b in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:31 #6 0x00007f0c7ad5c6ba in __GI___printf_fp_l (fp=fp@entry=0x7ffc6e3c4670, loc=<optimized out>, info=info@entry=0x7ffc6e3c41e0, args=args@entry=0x7ffc6e3c41c0) at printf_fp.c:1235 #7 0x00007f0c7ad5c799 in ___printf_fp (fp=fp@entry=0x7ffc6e3c4670, info=info@entry=0x7ffc6e3c41e0, args=args@entry=0x7ffc6e3c41c0) at printf_fp.c:1256 #8 0x00007f0c7ad59357 in _IO_vfprintf_internal (s=s@entry=0x7ffc6e3c4670, format=<optimized out>, format@entry=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", ap=ap@entry=0x7ffc6e3c47a8) at vfprintf.c:1634 #9 0x00007f0c7ae210f8 in ___vsprintf_chk ( s=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d 0.00\003c\001", flags=1, slen=50, format=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", args=args@entry=0x7ffc6e3c47a8) at vsprintf_chk.c:83 #10 0x00007f0c7ae2104d in ___sprintf_chk ( s=s@entry=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d 0.00\003c\001", flags=flags@entry=1, slen=slen@entry=50, format=format@entry=0x7ffc6e3c48e0 “%9.6fd %9.6fm %9.6fs”) at sprintf_chk.c:32 #11 0x0000000000408e1b in sprintf (__fmt=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", __s=0x7ffc6e3c4900 “10399825331313022575963351482892288.000000d 0.00\003c\001”) at /usr/include/bits/stdio2.h:33 #12 ProcessGpsInfo (DirStart=<optimized out>, OffsetBase=OffsetBase@entry=0x1630308 "II*", ExifLength=ExifLength@entry=2135) at gpsinfo.c:151 #13 0x0000000000406fb5 in ProcessExifDir (DirStart=0x1630318 "E", OffsetBase=OffsetBase@entry=0x1630308 "II*", ExifLength=ExifLength@entry=2135, NestingLevel=NestingLevel@entry=0) at exif.c:866 #14 0x00000000004071e3 in process_EXIF (ExifSection=ExifSection@entry=0x1630300 "\b_Exif", length=length@entry=2143) at exif.c:1041 #15 0x000000000040465b in ReadJpegSections (infile=infile@entry=0x1630070, ReadMode=ReadMode@entry=READ_METADATA) at jpgfile.c:287 #16 0x00000000004047ed in ReadJpegFile ( FileName=FileName@entry=0x7ffc6e3cc8f5 "SBO_gpsinfo.c:150:17_asan_plain_nocrash", ReadMode=READ_METADATA) at jpgfile.c:375 #17 0x0000000000402b5e in ProcessFile (FileName=0x7ffc6e3cc8f5 “SBO_gpsinfo.c:150:17_asan_plain_nocrash”) at jhead.c:905 #18 0x00000000004017e4 in main (argc=<optimized out>, argv=0x7ffc6e3cbd58) at jhead.c:1757

Expected results: Not applicable

Additional info:

Comment 1 Adrian Reber 2019-02-25 07:19:59 UTC

Have you contacted upstream about it? That would make more sense than reporting it here.

Comment 2 Jianzhong Liu 2019-02-26 02:34:35 UTC

(In reply to Adrian Reber from comment #1) > Have you contacted upstream about it? That would make more sense than

reporting it here.

I have sent the author an email regarding this bug, but the author has been unresponsive.

Comment 4 Adrian Reber 2019-08-05 15:15:54 UTC

(In reply to Ludovic Rousseau from comment #3) > The upstream author is not very responsive.

Also jhead is a good example of an unsecure parser for a complex format. I would not be surprised if more bugs are found.

For Debian I fixed this bug in https://salsa.debian.org/debian/jhead/commit/ bf330c777cc911b9f8509ffec7458952789c81e2

Thanks for pointing me to your patches. I will use them in the next jhead builds.

Comment 9 Fedora Update System 2019-08-14 01:05:27 UTC

jhead-3.03-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2019-08-14 01:42:05 UTC

jhead-3.03-4.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE