Bug#987485: unblock: jhead/1:3.04-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package jhead
It fixes a number of buffer overflows and related issues, applying
upstream fixes only.
The changelog is
jhead (1:3.04-6) unstable; urgency=medium
* QA upload (Salzburg BSP).
* CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
Closes: #986923.
* Check IPTC lengths. Closes: #968999.
* Allocate extra room when reading JPEG sections to avoid overflows.
Closes: #972617.
-- Stephen Kitt <skitt@debian.org> Sat, 24 Apr 2021 14:59:38 +0200
and the debdiff is attached.
unblock jhead/1:3.04-6
Regards,
Stephen
-- System Information:
Debian Release: 10.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable'), (100, 'unstable-debug'), (100, 'testing-debug'), (100, 'unstable'), (100, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64
Kernel: Linux 4.19.0-12-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 2584ce0..2198041 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+jhead (1:3.04-6) UNRELEASED; urgency=medium
+
+ * QA upload (Salzburg BSP).
+ * CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
+ Closes: #986923.
+ * Check IPTC lengths. Closes: #968999.
+ * Allocate extra room when reading JPEG sections to avoid overflows.
+ Closes: #972617.
+
+ -- Stephen Kitt <skitt@debian.org> Sat, 24 Apr 2021 13:59:35 +0200
+
jhead (1:3.04-5) unstable; urgency=medium
* QA upload.
diff --git a/debian/patches/allocate-extra.patch b/debian/patches/allocate-extra.patch
new file mode 100644
index 0000000..f060a3d
--- /dev/null
+++ b/debian/patches/allocate-extra.patch
@@ -0,0 +1,32 @@
+commit 5186ddcf9e35a7aa0ff0539489a930434a1325f4
+Author: Matthias <matthias@woodgears.ca>
+Date: Fri Oct 23 10:17:20 2020 -0300
+
+ Just allocate 20 bytes extra at the end of a section. Otherwise, we end
+ up with a whole lot of little checks for structures that the file says
+ are there but are unexpectedly cut off in fuzz tests
+
+--- a/jpgfile.c
++++ b/jpgfile.c
+@@ -170,7 +170,11 @@
+
+ Sections[SectionsRead].Size = itemlen;
+
+- Data = (uchar *)malloc(itemlen);
++ // Allocate an extra 20 bytes more than needed, because sometimes when reading structures,
++ // if the section erroneously ends before short structures that should be there, that can trip
++ // memory checkers in combination with fuzzers.
++ Data = (uchar *)malloc(itemlen+20);
++
+ if (Data == NULL){
+ ErrFatal("Could not allocate memory");
+ }
+@@ -477,7 +481,7 @@
+ return FALSE;
+ }
+
+- ThumbLen = 0;
++ ThumbLen = 0;
+ ThumbnailFile = NULL;
+ }
+
diff --git a/debian/patches/cve-2021-3496.patch b/debian/patches/cve-2021-3496.patch
new file mode 100644
index 0000000..1a7ce58
--- /dev/null
+++ b/debian/patches/cve-2021-3496.patch
@@ -0,0 +1,33 @@
+commit ca2973f4ce79279c15a09cf400648a757c1721b0
+Author: matthias wandel <matthias@woodgears.ca>
+Date: Wed Apr 14 09:01:30 2021 -0300
+
+ Fix another fuztest access too far beyond allocated bug
+
+--- a/makernote.c
++++ b/makernote.c
+@@ -64,7 +64,7 @@
+ unsigned OffsetVal;
+ OffsetVal = Get32u(DirEntry+8);
+ // If its bigger than 4 bytes, the dir entry contains an offset.
+- if (OffsetVal+ByteCount > ExifLength){
++ if (OffsetVal+ByteCount > (unsigned)ExifLength || OffsetVal > 65536){
+ // Bogus pointer offset and / or bytecount value
+ ErrNonfatal("Illegal value pointer for Exif maker tag %04x", Tag,0);
+ continue;
+@@ -119,6 +119,7 @@
+ }
+ }
+ if (Tag == 1 && Components > 16){
++ if (ByteCount < 17 * sizeof(short)) continue; // Fuzztest -- not enough allocated.
+ int IsoCode = Get16u(ValuePtr + 16*sizeof(unsigned short));
+ if (IsoCode >= 16 && IsoCode <= 24){
+ ImageInfo.ISOequivalent = 50 << (IsoCode-16);
+@@ -126,6 +127,7 @@
+ }
+
+ if (Tag == 4 && Format == FMT_USHORT){
++ if (ByteCount < 20 * sizeof(short)) continue; // Fuzztest -- not enough allocated.
+ if (Components > 7){
+ int WhiteBalance = Get16u(ValuePtr + 7*sizeof(unsigned short));
+ switch(WhiteBalance){
diff --git a/debian/patches/invalid-IPTC-lengths.patch b/debian/patches/invalid-IPTC-lengths.patch
new file mode 100644
index 0000000..02626f1
--- /dev/null
+++ b/debian/patches/invalid-IPTC-lengths.patch
@@ -0,0 +1,56 @@
+commit 33e7a3f85e4f1d2184f60926087ff226a10c307e
+Author: Matthias <matthias@woodgears.ca>
+Date: Wed Mar 24 14:52:29 2021 -0300
+
+ Check for invalid lengths in iptc.c. Fixes issue 24
+
+diff --git a/iptc.c b/iptc.c
+index 06fa4e3..bb3d255 100644
+--- a/iptc.c
++++ b/iptc.c
+@@ -71,16 +71,15 @@ void show_IPTC (unsigned char* Data, unsigned int itemlen)
+
+
+ while (memcmp(pos, IptcSig3, sizeof(IptcSig3)) != 0) { // loop on valid Photoshop blocks
+-
+ pos += sizeof(IptcSig3); // move data pointer to the Header Length
+ // Skip header
+ headerLen = *pos; // get header length and move data pointer to the next field
+ pos += (headerLen & 0xfe) + 2; // move data pointer to the next field (Header is padded to even length, counting the length byte)
+-
++ if (pos+16 > maxpos) goto corrupt;
+ pos += 3; // move data pointer to length, assume only one byte, TODO: use all 4 bytes
+-
+ dataLen = *pos++;
+ pos += dataLen; // skip data section
++ if (pos+16 > maxpos) goto corrupt;
+
+ if (memcmp(pos, IptcSig2, sizeof(IptcSig2) - 1) != 0) {
+ badsig: if (ShowTags) {
+@@ -93,7 +92,7 @@ void show_IPTC (unsigned char* Data, unsigned int itemlen)
+
+ pos += sizeof(IptcSig3); // move data pointer to the next field
+
+- if (pos >= maxpos) goto corrupt;
++ if (pos+16 >= maxpos) goto corrupt;
+
+ // IPTC section found
+
+@@ -101,7 +100,7 @@ void show_IPTC (unsigned char* Data, unsigned int itemlen)
+ headerLen = *pos++; // get header length and move data pointer to the next field
+ pos += headerLen + 1 - (headerLen % 2); // move data pointer to the next field (Header is padded to even length, counting the length byte)
+
+- if (pos+4 >= maxpos) goto corrupt;
++ if (pos+8 >= maxpos) goto corrupt;
+
+ // Get length (from motorola format)
+ //length = (*pos << 24) | (*(pos+1) << 16) | (*(pos+2) << 8) | *(pos+3);
+@@ -111,7 +110,7 @@ void show_IPTC (unsigned char* Data, unsigned int itemlen)
+ printf("======= IPTC data: =======\n");
+
+ // Now read IPTC data
+- while (pos < (Data + itemlen-5)) {
++ while (pos+5 < maxpos) {
+ short signature;
+ unsigned char type = 0;
+ short length = 0;
diff --git a/debian/patches/series b/debian/patches/series
index c2cf11a..2fb5582 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,5 @@
02_exif.c
01_gpsinfo.c
+cve-2021-3496.patch
+invalid-IPTC-lengths.patch
+allocate-extra.patch
Reply to: