Bug#911220: stretch-pu: package jhead/1:3.00-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#911220: stretch-pu: package jhead/1:3.00-4
From: Ludovic Rousseau <rousseau@debian.org>
Date: Wed, 17 Oct 2018 10:28:15 +0200
Message-id: <[🔎] 153976489503.3989.7301572869408220245.reportbug@debian.apdu.fr>
Reply-to: Ludovic Rousseau <rousseau@debian.org>, 911220@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

Some CVE were reported for jhead. I talked to Debian security team.
The security issues are not critical and Salvatore Bonaccorso proposed
to update the package in stable using stretch-pu instead of the security
team.

The issues are already fixed in Debian unstable. I just reused the
patches (from debian/patches/) for stretch-pu.

changes:
  * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088
  * d/p/33_fix_908176: Fix CVE-2018-16554
  * d/p/34_buffer_overflow: Fix heap buffer overflow


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru jhead-3.00/debian/changelog jhead-3.00/debian/changelog
--- jhead-3.00/debian/changelog	2017-03-20 19:26:16.000000000 +0000
+++ jhead-3.00/debian/changelog	2018-10-16 08:38:19.000000000 +0000
@@ -1,3 +1,11 @@
+jhead (1:3.00-4.1) stable; urgency=high
+
+  * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088
+  * d/p/33_fix_908176: Fix CVE-2018-16554
+  * d/p/34_buffer_overflow: Fix heap buffer overflow
+
+ -- Ludovic Rousseau <rousseau@debian.org>  Tue, 16 Oct 2018 10:38:19 +0200
+
 jhead (1:3.00-4) unstable; urgency=medium
 
   * Fix "CVE-2016-3822" Apply patch from Google (Closes: #858213)
diff -Nru jhead-3.00/debian/patches/32_crash_in_gpsinfo jhead-3.00/debian/patches/32_crash_in_gpsinfo
--- jhead-3.00/debian/patches/32_crash_in_gpsinfo	1970-01-01 00:00:00.000000000 +0000
+++ jhead-3.00/debian/patches/32_crash_in_gpsinfo	2018-10-16 08:33:06.000000000 +0000
@@ -0,0 +1,26 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Wed Sep  5 15:32:00 CEST 2018
+Subject: Fix heap buffer overflow
+
+Bug-Debian: http://bugs.debian.org/907925
+Description: Fix CVE-2018-17088
+
+--- a/gpsinfo.c
++++ b/gpsinfo.c
+@@ -4,6 +4,7 @@
+ // Matthias Wandel,  Dec 1999 - Dec 2002 
+ //--------------------------------------------------------------------------
+ #include "jhead.h"
++#include <stdint.h>
+ 
+ #define MAX_GPS_TAG 0x1e
+ 
+@@ -101,7 +102,7 @@
+             unsigned OffsetVal;
+             OffsetVal = Get32u(DirEntry+8);
+             // If its bigger than 4 bytes, the dir entry contains an offset.
+-            if (OffsetVal+ByteCount > ExifLength){
++            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
+                 // Bogus pointer offset and / or bytecount value
+                 ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0);
+                 continue;
diff -Nru jhead-3.00/debian/patches/33_fix_908176 jhead-3.00/debian/patches/33_fix_908176
--- jhead-3.00/debian/patches/33_fix_908176	1970-01-01 00:00:00.000000000 +0000
+++ jhead-3.00/debian/patches/33_fix_908176	2018-10-16 08:35:19.000000000 +0000
@@ -0,0 +1,19 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Sat Sep  8 16:19:07 CEST 2018
+Subject: fix heap buffer overflow
+
+Bug-Debian: https://bugs.debian.org/908176
+Description: Fix CVE-2018-16554
+
+--- a/gpsinfo.c
++++ b/gpsinfo.c
+@@ -162,7 +162,8 @@
+                 break;
+ 
+             case TAG_GPS_ALT:
+-                sprintf(ImageInfo.GpsAlt + 1, "%.2fm", 
++                snprintf(ImageInfo.GpsAlt + 1, sizeof(ImageInfo.GpsAlt) -1,
++                    "%.2fm",
+                     ConvertAnyFormat(ValuePtr, Format));
+                 break;
+         }
diff -Nru jhead-3.00/debian/patches/34_buffer_overflow jhead-3.00/debian/patches/34_buffer_overflow
--- jhead-3.00/debian/patches/34_buffer_overflow	1970-01-01 00:00:00.000000000 +0000
+++ jhead-3.00/debian/patches/34_buffer_overflow	2018-10-16 08:36:45.000000000 +0000
@@ -0,0 +1,15 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Sat Sep  8 16:02:23 CEST 2018
+Subject: Fix heap buffer overflow
+
+--- a/jhead.c
++++ b/jhead.c
+@@ -670,7 +670,7 @@
+             NameExtra[0] = 0;
+         }
+ 
+-        sprintf(NewName, "%s%s.jpg", NewBaseName, NameExtra);
++        snprintf(NewName, sizeof(NewName), "%s%s.jpg", NewBaseName, NameExtra);
+ 
+         if (!strcmp(FileName, NewName)) break; // Skip if its already this name.
+ 
diff -Nru jhead-3.00/debian/patches/series jhead-3.00/debian/patches/series
--- jhead-3.00/debian/patches/series	2017-03-20 19:26:16.000000000 +0000
+++ jhead-3.00/debian/patches/series	2018-10-16 08:37:07.000000000 +0000
@@ -5,3 +5,6 @@
 25_makefile
 27_documentation
 31_CVE-2016-3822
+32_crash_in_gpsinfo
+33_fix_908176
+34_buffer_overflow

Reply to:

Follow-Ups:
- Bug#911220: stretch-pu: package jhead/1:3.00-4
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Processed: Re: Bug#911220: stretch-pu: package jhead/1:3.00-4
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#911220: jhead 3.00-4+deb9u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Processed: jhead 3.00-4+deb9u1 flagged for acceptance
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: jhead 3.00-4+deb9u1 flagged for acceptance
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#911186: stretch-pu: package clamav/0.100.1+dfsg-0+deb9u1
Next by Date: Bug#911220: stretch-pu: package jhead/1:3.00-4
Previous by thread: Processed: clamav 0.100.2+dfsg-0+deb9u1 flagged for acceptance
Next by thread: Bug#911220: stretch-pu: package jhead/1:3.00-4
Index(es):
- Date
- Thread