Headline
CVE-2021-34055: [ Security] heap-buffer-overflow of exif.c in function Put16u · Issue #36 · Matthias-Wandel/jhead
jhead 3.06 is vulnerable to Buffer Overflow via exif.c in function Put16u.
Hi jhead Team
I found an overflow error.
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
OBJ=obj
SRC=.
CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) -fsanitize=address
LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) -fsanitize=address
$ ./jhead -autorot jhead_poc
onfatal Error : ‘out_jpgs/default/crashes/poc’ Bad components count 23000004
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Illegal value pointer for tag 9204 in Exif
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Illegally sized Exif makernote subdir (44288 entries)
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Bad components count 30003
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Bad components count 4a003
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Bad components count 5a20e
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Bad components count 5a28d
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Illegal number format 512 for tag 0438 in Exif
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Bad components count 10003
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Bad components count 10007
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Extraneous 593 padding bytes before section E1
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Undefined rotation value 65281 in Exif
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Bad components count 464946
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Bad components count 11e1ff00
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Bad components count 2a004d
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Illegal number format 15 for tag 010a in Exif
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Illegal number format 16 for tag 0186 in Exif
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Illegal number format 18 for tag 0198 in Exif
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Illegal subdirectory link in Exif header
Nonfatal Error : ‘out_jpgs/default/crashes/poc’ Extraneous 10 padding bytes before section DD
==409516==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0000006b2 at pc 0x00000031c8b8 bp 0x7ffc86175450 sp 0x7ffc86175448 WRITE of size 1 at 0x61a0000006b2 thread T0 #0 0x31c8b7 in Put16u exif.c #1 0x31c8b7 in ClearOrientation exif.c:1248:17 #2 0x31c8b7 in DoAutoRotate jhead.c:729:20 #3 0x31c8b7 in ProcessFile jhead.c:879:17 #4 0x31c8b7 in main jhead.c:1770:13 #5 0x7f84881c90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/…/csu/libc-start.c:308:16 #6 0x260eed in _start (/home/hh/Downloads/jhead/jhead+0x260eed)
0x61a0000006b2 is located 50 bytes inside of 1164-byte region [0x61a000000680,0x61a000000b0c) freed by thread T0 here: #0 0x2dca72 in free /home/hh/Downloads/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x3237f4 in DiscardAllButExif jpgfile.c:540:13
previously allocated by thread T0 here: #0 0x2dccdd in malloc /home/hh/Downloads/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x320538 in ReadJpegSections jpgfile.c:175:25 #2 0x32256b in ReadJpegFile jpgfile.c:381:11
SUMMARY: AddressSanitizer: heap-use-after-free exif.c in Put16u Shadow bytes around the buggy address: 0x0c347fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff80a0: 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c347fff80d0: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd 0x0c347fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==409516==ABORTING
Related news
Gentoo Linux Security Advisory 202406-5 - Multiple vulnerabilities have been discovered in JHead, the worst of which may lead to arbitrary code execution. Versions greater than or equal to 3.08 are affected.
Ubuntu Security Notice 6108-1 - It was discovered that Jhead did not properly handle certain crafted images while rotating them. An attacker could possibly use this issue to crash Jhead, resulting in a denial of service. Kyle Brown discovered that Jhead did not properly handle certain crafted images while regenerating the Exif thumbnail. An attacker could possibly use this issue to execute arbitrary commands.
Debian Linux Security Advisory 5294-1 - Jhead, a tool for manipulating EXIF data embedded in JPEG images, allowed attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50, -autorot or -ce option. In addition a buffer overflow error in exif.c has been addressed which could lead to a denial of service (application crash).