Bug#911220: stretch-pu: package jhead/1:3.00-4
Le 17/10/2018 à 11:15, Salvatore Bonaccorso a écrit :
Hi
[Disclaimer: not a SRM but looking at the proposed update]
On Wed, Oct 17, 2018 at 10:28:15AM +0200, Ludovic Rousseau wrote:
+jhead (1:3.00-4.1) stable; urgency=high
Please use 1:3.00-4+deb9u1 as version. Using the codename instead of
'stable' would be prefered, but both work.
Thanks a lot for preparing the update!
New patch version with the package version fixed.
Bye
--
Dr. Ludovic Rousseau
diff -Nru jhead-3.00/debian/changelog jhead-3.00/debian/changelog
--- jhead-3.00/debian/changelog 2017-03-20 20:26:16.000000000 +0100
+++ jhead-3.00/debian/changelog 2018-10-16 10:38:19.000000000 +0200
@@ -1,3 +1,11 @@
+jhead (1:3.00-4+deb9u1) stretch; urgency=high
+
+ * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088
+ * d/p/33_fix_908176: Fix CVE-2018-16554
+ * d/p/34_buffer_overflow: Fix heap buffer overflow
+
+ -- Ludovic Rousseau <rousseau@debian.org> Tue, 16 Oct 2018 10:38:19 +0200
+
jhead (1:3.00-4) unstable; urgency=medium
* Fix "CVE-2016-3822" Apply patch from Google (Closes: #858213)
diff -Nru jhead-3.00/debian/patches/32_crash_in_gpsinfo jhead-3.00/debian/patches/32_crash_in_gpsinfo
--- jhead-3.00/debian/patches/32_crash_in_gpsinfo 1970-01-01 01:00:00.000000000 +0100
+++ jhead-3.00/debian/patches/32_crash_in_gpsinfo 2018-10-16 10:33:06.000000000 +0200
@@ -0,0 +1,26 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Wed Sep 5 15:32:00 CEST 2018
+Subject: Fix heap buffer overflow
+
+Bug-Debian: http://bugs.debian.org/907925
+Description: Fix CVE-2018-17088
+
+--- a/gpsinfo.c
++++ b/gpsinfo.c
+@@ -4,6 +4,7 @@
+ // Matthias Wandel, Dec 1999 - Dec 2002
+ //--------------------------------------------------------------------------
+ #include "jhead.h"
++#include <stdint.h>
+
+ #define MAX_GPS_TAG 0x1e
+
+@@ -101,7 +102,7 @@
+ unsigned OffsetVal;
+ OffsetVal = Get32u(DirEntry+8);
+ // If its bigger than 4 bytes, the dir entry contains an offset.
+- if (OffsetVal+ByteCount > ExifLength){
++ if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
+ // Bogus pointer offset and / or bytecount value
+ ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0);
+ continue;
diff -Nru jhead-3.00/debian/patches/33_fix_908176 jhead-3.00/debian/patches/33_fix_908176
--- jhead-3.00/debian/patches/33_fix_908176 1970-01-01 01:00:00.000000000 +0100
+++ jhead-3.00/debian/patches/33_fix_908176 2018-10-16 10:35:19.000000000 +0200
@@ -0,0 +1,19 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Sat Sep 8 16:19:07 CEST 2018
+Subject: fix heap buffer overflow
+
+Bug-Debian: https://bugs.debian.org/908176
+Description: Fix CVE-2018-16554
+
+--- a/gpsinfo.c
++++ b/gpsinfo.c
+@@ -162,7 +162,8 @@
+ break;
+
+ case TAG_GPS_ALT:
+- sprintf(ImageInfo.GpsAlt + 1, "%.2fm",
++ snprintf(ImageInfo.GpsAlt + 1, sizeof(ImageInfo.GpsAlt) -1,
++ "%.2fm",
+ ConvertAnyFormat(ValuePtr, Format));
+ break;
+ }
diff -Nru jhead-3.00/debian/patches/34_buffer_overflow jhead-3.00/debian/patches/34_buffer_overflow
--- jhead-3.00/debian/patches/34_buffer_overflow 1970-01-01 01:00:00.000000000 +0100
+++ jhead-3.00/debian/patches/34_buffer_overflow 2018-10-16 10:36:45.000000000 +0200
@@ -0,0 +1,15 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Sat Sep 8 16:02:23 CEST 2018
+Subject: Fix heap buffer overflow
+
+--- a/jhead.c
++++ b/jhead.c
+@@ -670,7 +670,7 @@
+ NameExtra[0] = 0;
+ }
+
+- sprintf(NewName, "%s%s.jpg", NewBaseName, NameExtra);
++ snprintf(NewName, sizeof(NewName), "%s%s.jpg", NewBaseName, NameExtra);
+
+ if (!strcmp(FileName, NewName)) break; // Skip if its already this name.
+
diff -Nru jhead-3.00/debian/patches/series jhead-3.00/debian/patches/series
--- jhead-3.00/debian/patches/series 2017-03-20 20:26:16.000000000 +0100
+++ jhead-3.00/debian/patches/series 2018-10-16 10:37:07.000000000 +0200
@@ -5,3 +5,6 @@
25_makefile
27_documentation
31_CVE-2016-3822
+32_crash_in_gpsinfo
+33_fix_908176
+34_buffer_overflow
Reply to: