[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#911220: marked as done (stretch-pu: package jhead/1:3.00-4)

Your message dated Sat, 10 Nov 2018 10:42:56 +0000
with message-id <1541846576.3542.38.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.6
has caused the Debian Bug report #911220,
regarding stretch-pu: package jhead/1:3.00-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
911220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911220
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

Some CVE were reported for jhead. I talked to Debian security team.
The security issues are not critical and Salvatore Bonaccorso proposed
to update the package in stable using stretch-pu instead of the security
team.

The issues are already fixed in Debian unstable. I just reused the
patches (from debian/patches/) for stretch-pu.

changes:
  * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088
  * d/p/33_fix_908176: Fix CVE-2018-16554
  * d/p/34_buffer_overflow: Fix heap buffer overflow


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru jhead-3.00/debian/changelog jhead-3.00/debian/changelog
--- jhead-3.00/debian/changelog	2017-03-20 19:26:16.000000000 +0000
+++ jhead-3.00/debian/changelog	2018-10-16 08:38:19.000000000 +0000
@@ -1,3 +1,11 @@
+jhead (1:3.00-4.1) stable; urgency=high
+
+  * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088
+  * d/p/33_fix_908176: Fix CVE-2018-16554
+  * d/p/34_buffer_overflow: Fix heap buffer overflow
+
+ -- Ludovic Rousseau <rousseau@debian.org>  Tue, 16 Oct 2018 10:38:19 +0200
+
 jhead (1:3.00-4) unstable; urgency=medium
 
   * Fix "CVE-2016-3822" Apply patch from Google (Closes: #858213)
diff -Nru jhead-3.00/debian/patches/32_crash_in_gpsinfo jhead-3.00/debian/patches/32_crash_in_gpsinfo
--- jhead-3.00/debian/patches/32_crash_in_gpsinfo	1970-01-01 00:00:00.000000000 +0000
+++ jhead-3.00/debian/patches/32_crash_in_gpsinfo	2018-10-16 08:33:06.000000000 +0000
@@ -0,0 +1,26 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Wed Sep  5 15:32:00 CEST 2018
+Subject: Fix heap buffer overflow
+
+Bug-Debian: http://bugs.debian.org/907925
+Description: Fix CVE-2018-17088
+
+--- a/gpsinfo.c
++++ b/gpsinfo.c
+@@ -4,6 +4,7 @@
+ // Matthias Wandel,  Dec 1999 - Dec 2002 
+ //--------------------------------------------------------------------------
+ #include "jhead.h"
++#include <stdint.h>
+ 
+ #define MAX_GPS_TAG 0x1e
+ 
+@@ -101,7 +102,7 @@
+             unsigned OffsetVal;
+             OffsetVal = Get32u(DirEntry+8);
+             // If its bigger than 4 bytes, the dir entry contains an offset.
+-            if (OffsetVal+ByteCount > ExifLength){
++            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
+                 // Bogus pointer offset and / or bytecount value
+                 ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0);
+                 continue;
diff -Nru jhead-3.00/debian/patches/33_fix_908176 jhead-3.00/debian/patches/33_fix_908176
--- jhead-3.00/debian/patches/33_fix_908176	1970-01-01 00:00:00.000000000 +0000
+++ jhead-3.00/debian/patches/33_fix_908176	2018-10-16 08:35:19.000000000 +0000
@@ -0,0 +1,19 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Sat Sep  8 16:19:07 CEST 2018
+Subject: fix heap buffer overflow
+
+Bug-Debian: https://bugs.debian.org/908176
+Description: Fix CVE-2018-16554
+
+--- a/gpsinfo.c
++++ b/gpsinfo.c
+@@ -162,7 +162,8 @@
+                 break;
+ 
+             case TAG_GPS_ALT:
+-                sprintf(ImageInfo.GpsAlt + 1, "%.2fm", 
++                snprintf(ImageInfo.GpsAlt + 1, sizeof(ImageInfo.GpsAlt) -1,
++                    "%.2fm",
+                     ConvertAnyFormat(ValuePtr, Format));
+                 break;
+         }
diff -Nru jhead-3.00/debian/patches/34_buffer_overflow jhead-3.00/debian/patches/34_buffer_overflow
--- jhead-3.00/debian/patches/34_buffer_overflow	1970-01-01 00:00:00.000000000 +0000
+++ jhead-3.00/debian/patches/34_buffer_overflow	2018-10-16 08:36:45.000000000 +0000
@@ -0,0 +1,15 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Sat Sep  8 16:02:23 CEST 2018
+Subject: Fix heap buffer overflow
+
+--- a/jhead.c
++++ b/jhead.c
+@@ -670,7 +670,7 @@
+             NameExtra[0] = 0;
+         }
+ 
+-        sprintf(NewName, "%s%s.jpg", NewBaseName, NameExtra);
++        snprintf(NewName, sizeof(NewName), "%s%s.jpg", NewBaseName, NameExtra);
+ 
+         if (!strcmp(FileName, NewName)) break; // Skip if its already this name.
+ 
diff -Nru jhead-3.00/debian/patches/series jhead-3.00/debian/patches/series
--- jhead-3.00/debian/patches/series	2017-03-20 19:26:16.000000000 +0000
+++ jhead-3.00/debian/patches/series	2018-10-16 08:37:07.000000000 +0000
@@ -5,3 +5,6 @@
 25_makefile
 27_documentation
 31_CVE-2016-3822
+32_crash_in_gpsinfo
+33_fix_908176
+34_buffer_overflow

--- End Message ---
--- Begin Message --- 
Version: 9.6

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---
Reply to: