Bug#911220: stretch-pu: package jhead/1:3.00-4
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
Some CVE were reported for jhead. I talked to Debian security team.
The security issues are not critical and Salvatore Bonaccorso proposed
to update the package in stable using stretch-pu instead of the security
team.
The issues are already fixed in Debian unstable. I just reused the
patches (from debian/patches/) for stretch-pu.
changes:
* d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088
* d/p/33_fix_908176: Fix CVE-2018-16554
* d/p/34_buffer_overflow: Fix heap buffer overflow
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru jhead-3.00/debian/changelog jhead-3.00/debian/changelog
--- jhead-3.00/debian/changelog 2017-03-20 19:26:16.000000000 +0000
+++ jhead-3.00/debian/changelog 2018-10-16 08:38:19.000000000 +0000
@@ -1,3 +1,11 @@
+jhead (1:3.00-4.1) stable; urgency=high
+
+ * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088
+ * d/p/33_fix_908176: Fix CVE-2018-16554
+ * d/p/34_buffer_overflow: Fix heap buffer overflow
+
+ -- Ludovic Rousseau <rousseau@debian.org> Tue, 16 Oct 2018 10:38:19 +0200
+
jhead (1:3.00-4) unstable; urgency=medium
* Fix "CVE-2016-3822" Apply patch from Google (Closes: #858213)
diff -Nru jhead-3.00/debian/patches/32_crash_in_gpsinfo jhead-3.00/debian/patches/32_crash_in_gpsinfo
--- jhead-3.00/debian/patches/32_crash_in_gpsinfo 1970-01-01 00:00:00.000000000 +0000
+++ jhead-3.00/debian/patches/32_crash_in_gpsinfo 2018-10-16 08:33:06.000000000 +0000
@@ -0,0 +1,26 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Wed Sep 5 15:32:00 CEST 2018
+Subject: Fix heap buffer overflow
+
+Bug-Debian: http://bugs.debian.org/907925
+Description: Fix CVE-2018-17088
+
+--- a/gpsinfo.c
++++ b/gpsinfo.c
+@@ -4,6 +4,7 @@
+ // Matthias Wandel, Dec 1999 - Dec 2002
+ //--------------------------------------------------------------------------
+ #include "jhead.h"
++#include <stdint.h>
+
+ #define MAX_GPS_TAG 0x1e
+
+@@ -101,7 +102,7 @@
+ unsigned OffsetVal;
+ OffsetVal = Get32u(DirEntry+8);
+ // If its bigger than 4 bytes, the dir entry contains an offset.
+- if (OffsetVal+ByteCount > ExifLength){
++ if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
+ // Bogus pointer offset and / or bytecount value
+ ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0);
+ continue;
diff -Nru jhead-3.00/debian/patches/33_fix_908176 jhead-3.00/debian/patches/33_fix_908176
--- jhead-3.00/debian/patches/33_fix_908176 1970-01-01 00:00:00.000000000 +0000
+++ jhead-3.00/debian/patches/33_fix_908176 2018-10-16 08:35:19.000000000 +0000
@@ -0,0 +1,19 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Sat Sep 8 16:19:07 CEST 2018
+Subject: fix heap buffer overflow
+
+Bug-Debian: https://bugs.debian.org/908176
+Description: Fix CVE-2018-16554
+
+--- a/gpsinfo.c
++++ b/gpsinfo.c
+@@ -162,7 +162,8 @@
+ break;
+
+ case TAG_GPS_ALT:
+- sprintf(ImageInfo.GpsAlt + 1, "%.2fm",
++ snprintf(ImageInfo.GpsAlt + 1, sizeof(ImageInfo.GpsAlt) -1,
++ "%.2fm",
+ ConvertAnyFormat(ValuePtr, Format));
+ break;
+ }
diff -Nru jhead-3.00/debian/patches/34_buffer_overflow jhead-3.00/debian/patches/34_buffer_overflow
--- jhead-3.00/debian/patches/34_buffer_overflow 1970-01-01 00:00:00.000000000 +0000
+++ jhead-3.00/debian/patches/34_buffer_overflow 2018-10-16 08:36:45.000000000 +0000
@@ -0,0 +1,15 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Sat Sep 8 16:02:23 CEST 2018
+Subject: Fix heap buffer overflow
+
+--- a/jhead.c
++++ b/jhead.c
+@@ -670,7 +670,7 @@
+ NameExtra[0] = 0;
+ }
+
+- sprintf(NewName, "%s%s.jpg", NewBaseName, NameExtra);
++ snprintf(NewName, sizeof(NewName), "%s%s.jpg", NewBaseName, NameExtra);
+
+ if (!strcmp(FileName, NewName)) break; // Skip if its already this name.
+
diff -Nru jhead-3.00/debian/patches/series jhead-3.00/debian/patches/series
--- jhead-3.00/debian/patches/series 2017-03-20 19:26:16.000000000 +0000
+++ jhead-3.00/debian/patches/series 2018-10-16 08:37:07.000000000 +0000
@@ -5,3 +5,6 @@
25_makefile
27_documentation
31_CVE-2016-3822
+32_crash_in_gpsinfo
+33_fix_908176
+34_buffer_overflow
Reply to: