[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#968999: marked as done (jhead: Use-after-free in show_IPTC (jhead 3.04-3))

Your message dated Sat, 24 Apr 2021 13:18:31 +0000
with message-id <E1laIB5-0009nu-FI@fasolo.debian.org>
and subject line Bug#968999: fixed in jhead 1:3.04-6
has caused the Debian Bug report #968999,
regarding jhead: Use-after-free in show_IPTC (jhead 3.04-3)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
968999: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968999
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: jhead
Version: 1:3.04-3
Severity: normal
X-Debbugs-Cc: borzacchiello@diag.uniroma1.it

Dear Maintainer,
running jhead with the attached input leads to an use-after-free in show_IPTC function.

This is the output of valgrind (valgrind jhead ./uaf_show_IPTC):
==7591== Invalid read of size 4
==7591==    at 0x112B48: show_IPTC (iptc.c:85)
==7591==    by 0x10CACB: ProcessFile (jhead.c:955)
==7591==    by 0x10B6FB: main (jhead.c:1756)
==7591==  Address 0x4b584d3 is 13 bytes before a block of size 16 free'd
==7591==    at 0x48399AB: free (vg_replace_malloc.c:538)
==7591==    by 0x10E709: ReadJpegSections.part.0 (jpgfile.c:301)
==7591==    by 0x10EB08: ReadJpegSections (jpgfile.c:126)
==7591==    by 0x10EB08: ReadJpegFile (jpgfile.c:379)
==7591==    by 0x10CA4B: ProcessFile (jhead.c:905)
==7591==    by 0x10B6FB: main (jhead.c:1756)
==7591==  Block was alloc'd at
==7591==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==7591==    by 0x10E332: ReadJpegSections.part.0 (jpgfile.c:173)
==7591==    by 0x10EB08: ReadJpegSections (jpgfile.c:126)
==7591==    by 0x10EB08: ReadJpegFile (jpgfile.c:379)
==7591==    by 0x10CA4B: ProcessFile (jhead.c:905)
==7591==    by 0x10B6FB: main (jhead.c:1756)
--
Regards,
Luca Borzacchiello

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-42-generic (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages jhead depends on:
ii  libc6                2.31-3
ii  libjpeg-turbo-progs  1:2.0.5-1.1

jhead recommends no packages.

Versions of packages jhead suggests:
pn  imagemagick  <none>

-- no debconf information

Attachment: uaf_show_IPTC
Description: JPEG image


--- End Message ---
--- Begin Message --- 
Source: jhead
Source-Version: 1:3.04-6
Done: Stephen Kitt <skitt@debian.org>

We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 968999@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Kitt <skitt@debian.org> (supplier of updated jhead package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 24 Apr 2021 14:59:38 +0200
Source: jhead
Architecture: source
Version: 1:3.04-6
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Stephen Kitt <skitt@debian.org>
Closes: 968999 972617 986923
Changes:
 jhead (1:3.04-6) unstable; urgency=medium
 .
   * QA upload (Salzburg BSP).
   * CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
     Closes: #986923.
   * Check IPTC lengths. Closes: #968999.
   * Allocate extra room when reading JPEG sections to avoid overflows.
     Closes: #972617.
Checksums-Sha1:
 0ae3d7282a6f16af02cd3b8cd09f020bdfd1d6cb 1795 jhead_3.04-6.dsc
 106826aa215ee31a20106276ed2d8ee2710e772a 8228 jhead_3.04-6.debian.tar.xz
 ceb4569096b7c3693d793974ccf2b18f68a906be 5924 jhead_3.04-6_source.buildinfo
Checksums-Sha256:
 3d786d1e0d28c01d0f4150760da133c3edf22b898c36d65e3cf5e3911350d2a0 1795 jhead_3.04-6.dsc
 5d7a3616bdcff435a94e5c38f96773390a3cbcca2ce092dcfe401fb8e08776fd 8228 jhead_3.04-6.debian.tar.xz
 a0c7d766d46cab476926d6b386e854ecd2bd0155de0a6584ce548697b21a3eaf 5924 jhead_3.04-6_source.buildinfo
Files:
 4dcb30a76ae37f0e84bf54260ef6f4fb 1795 graphics optional jhead_3.04-6.dsc
 1a2a449376706030f3e0cac8705a3fb5 8228 graphics optional jhead_3.04-6.debian.tar.xz
 3d3ac49429bf3ac85143c773ded4c0ac 5924 graphics optional jhead_3.04-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAmCEFk8ACgkQgNMC9Yht
g5w8wRAAjraN5QuHOnynFQA+579WIGCAX7KuI17ziwZh6PwiVwVTQMu6st5JXAA2
BSe+Capu5ko4nH/Hh0I7qjbLoHPUUDODaldxBhM1GuYjluqnPNwNGWpSc0iKGMgr
kKc/LkCHjvXSG7POH2xcdqJsPXJC8jkNmMiT6+FVqLFj1yGpfyv3v8alHkL/S5cj
fJqe0eS+4RAEF455oowtyImPr27INevG33Ea8C/2+aDH7dHE696CTsR7vw/o4Bmd
cdG3vwwa/8jSjNvSVAl1TK7LbpNx6ITClUUZZRK15UuYsojxQvd8FBAWp6fmG35V
mX986Z/tOIqhXDY0hf0vHSwWJOsPmM2rRgeH3p2mzw0KLt1PU5AcWN6lny2UwNRr
N9eWlOWkZwp5qU5vmztbC8pf06P6KfA539C5x6vOpYBvLRsWQTMoOoV/WToWu4l3
lY1qbRQbscckqzMXUJwmnn/SGtlfsugOxBkRhqWJFbrXLjeh5ql1Rp1Cff5y+N3k
6NSmAbAqTu50Wo1koJrxjMhLlv4H0WYCgcfAcX5DiqaWdiS+zbv2YeAXt0YnxWOt
QihN2VwvzB+eBMFd6OiSE7fvBk5JTq9CycTpBlwCA4Dk7UkQOMaiKC4/61aWelnh
JJhFGhMK5x0PmzgR/N7uOcjFUz2NO9qNWEQlz9xNUSbDcg7Dex4=
=/Q+3
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: