Bug#987485: marked as done (unblock: jhead/1:3.04-6)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 24 Apr 2021 19:21:43 +0200
with message-id <787e5402-8d2e-5bad-3330-a562cdeca450@debian.org>
and subject line Re: Bug#987485: unblock: jhead/1:3.04-6
has caused the Debian Bug report #987485,
regarding unblock: jhead/1:3.04-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987485: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987485
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: jhead/1:3.04-6
• From: Stephen Kitt <skitt@debian.org>
• Date: Sat, 24 Apr 2021 15:50:26 +0200
• Message-id: <[🔎] 161927222608.15092.15502433989513400589.reportbug@heffalump.sk2.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package jhead

It fixes a number of buffer overflows and related issues, applying
upstream fixes only.

The changelog is

jhead (1:3.04-6) unstable; urgency=medium

  * QA upload (Salzburg BSP).
  * CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
    Closes: #986923.
  * Check IPTC lengths. Closes: #968999.
  * Allocate extra room when reading JPEG sections to avoid overflows.
    Closes: #972617.

 -- Stephen Kitt <skitt@debian.org>  Sat, 24 Apr 2021 14:59:38 +0200

and the debdiff is attached.

unblock jhead/1:3.04-6

Regards,

Stephen


-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable'), (100, 'unstable-debug'), (100, 'testing-debug'), (100, 'unstable'), (100, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64

Kernel: Linux 4.19.0-12-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/changelog b/debian/changelog
index 2584ce0..2198041 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+jhead (1:3.04-6) UNRELEASED; urgency=medium
+
+  * QA upload (Salzburg BSP).
+  * CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
+    Closes: #986923.
+  * Check IPTC lengths. Closes: #968999.
+  * Allocate extra room when reading JPEG sections to avoid overflows.
+    Closes: #972617.
+
+ -- Stephen Kitt <skitt@debian.org>  Sat, 24 Apr 2021 13:59:35 +0200
+
 jhead (1:3.04-5) unstable; urgency=medium
 
   * QA upload.
diff --git a/debian/patches/allocate-extra.patch b/debian/patches/allocate-extra.patch
new file mode 100644
index 0000000..f060a3d
--- /dev/null
+++ b/debian/patches/allocate-extra.patch
@@ -0,0 +1,32 @@
+commit 5186ddcf9e35a7aa0ff0539489a930434a1325f4
+Author: Matthias <matthias@woodgears.ca>
+Date:   Fri Oct 23 10:17:20 2020 -0300
+
+    Just allocate 20 bytes extra at the end of a section. Otherwise, we end
+    up with a whole lot of little checks for structures that the file says
+    are there but are unexpectedly cut off in fuzz tests
+
+--- a/jpgfile.c
++++ b/jpgfile.c
+@@ -170,7 +170,11 @@
+ 
+         Sections[SectionsRead].Size = itemlen;
+ 
+-        Data = (uchar *)malloc(itemlen);
++        // Allocate an extra 20 bytes more than needed, because sometimes when reading structures,
++        // if the section erroneously ends before short structures that should be there, that can trip
++        // memory checkers in combination with fuzzers.
++        Data = (uchar *)malloc(itemlen+20);
++	
+         if (Data == NULL){
+             ErrFatal("Could not allocate memory");
+         }
+@@ -477,7 +481,7 @@
+              return FALSE;
+         }
+ 
+-        ThumbLen = 0;
++        ThumbLen = 0;
+         ThumbnailFile = NULL;
+     }
+ 
diff --git a/debian/patches/cve-2021-3496.patch b/debian/patches/cve-2021-3496.patch
new file mode 100644
index 0000000..1a7ce58
--- /dev/null
+++ b/debian/patches/cve-2021-3496.patch
@@ -0,0 +1,33 @@
+commit ca2973f4ce79279c15a09cf400648a757c1721b0
+Author: matthias wandel <matthias@woodgears.ca>
+Date:   Wed Apr 14 09:01:30 2021 -0300
+
+    Fix another fuztest access too far beyond allocated bug
+
+--- a/makernote.c
++++ b/makernote.c
+@@ -64,7 +64,7 @@
+             unsigned OffsetVal;
+             OffsetVal = Get32u(DirEntry+8);
+             // If its bigger than 4 bytes, the dir entry contains an offset.
+-            if (OffsetVal+ByteCount > ExifLength){
++            if (OffsetVal+ByteCount > (unsigned)ExifLength || OffsetVal > 65536){
+                 // Bogus pointer offset and / or bytecount value
+                 ErrNonfatal("Illegal value pointer for Exif maker tag %04x", Tag,0);
+                 continue;
+@@ -119,6 +119,7 @@
+                 }
+         }
+         if (Tag == 1 && Components > 16){
++            if (ByteCount < 17 * sizeof(short)) continue; // Fuzztest -- not enough allocated.
+             int IsoCode = Get16u(ValuePtr + 16*sizeof(unsigned short));
+             if (IsoCode >= 16 && IsoCode <= 24){
+                 ImageInfo.ISOequivalent = 50 << (IsoCode-16);
+@@ -126,6 +127,7 @@
+         }
+ 
+         if (Tag == 4 && Format == FMT_USHORT){
++            if (ByteCount < 20 * sizeof(short)) continue; // Fuzztest -- not enough allocated.
+             if (Components > 7){
+                 int WhiteBalance = Get16u(ValuePtr + 7*sizeof(unsigned short));
+                 switch(WhiteBalance){
diff --git a/debian/patches/invalid-IPTC-lengths.patch b/debian/patches/invalid-IPTC-lengths.patch
new file mode 100644
index 0000000..02626f1
--- /dev/null
+++ b/debian/patches/invalid-IPTC-lengths.patch
@@ -0,0 +1,56 @@
+commit 33e7a3f85e4f1d2184f60926087ff226a10c307e
+Author: Matthias <matthias@woodgears.ca>
+Date:   Wed Mar 24 14:52:29 2021 -0300
+
+    Check for invalid lengths in iptc.c.  Fixes issue 24
+
+diff --git a/iptc.c b/iptc.c
+index 06fa4e3..bb3d255 100644
+--- a/iptc.c
++++ b/iptc.c
+@@ -71,16 +71,15 @@ void show_IPTC (unsigned char* Data, unsigned int itemlen)
+ 
+ 
+ 	while (memcmp(pos, IptcSig3, sizeof(IptcSig3)) != 0) { // loop on valid Photoshop blocks
+-
+ 		pos += sizeof(IptcSig3); // move data pointer to the Header Length
+ 		// Skip header
+ 		headerLen = *pos; // get header length and move data pointer to the next field
+ 		pos += (headerLen & 0xfe) + 2; // move data pointer to the next field (Header is padded to even length, counting the length byte)
+-
++        if (pos+16 > maxpos) goto corrupt;
+ 		pos += 3; // move data pointer to length, assume only one byte, TODO: use all 4 bytes
+-
+ 		dataLen = *pos++;
+ 		pos += dataLen; // skip data section
++        if (pos+16 > maxpos) goto corrupt;
+ 
+ 		if (memcmp(pos, IptcSig2, sizeof(IptcSig2) - 1) != 0) {
+ 			badsig: if (ShowTags) {
+@@ -93,7 +92,7 @@ void show_IPTC (unsigned char* Data, unsigned int itemlen)
+ 
+     pos += sizeof(IptcSig3);          // move data pointer to the next field
+ 
+-    if (pos >= maxpos) goto corrupt;
++    if (pos+16 >= maxpos) goto corrupt;
+ 
+     // IPTC section found
+ 
+@@ -101,7 +100,7 @@ void show_IPTC (unsigned char* Data, unsigned int itemlen)
+     headerLen = *pos++;                     // get header length and move data pointer to the next field
+     pos += headerLen + 1 - (headerLen % 2); // move data pointer to the next field (Header is padded to even length, counting the length byte)
+ 
+-    if (pos+4 >= maxpos) goto corrupt;
++    if (pos+8 >= maxpos) goto corrupt;
+ 
+     // Get length (from motorola format)
+     //length = (*pos << 24) | (*(pos+1) << 16) | (*(pos+2) << 8) | *(pos+3);
+@@ -111,7 +110,7 @@ void show_IPTC (unsigned char* Data, unsigned int itemlen)
+     printf("======= IPTC data: =======\n");
+ 
+     // Now read IPTC data
+-    while (pos < (Data + itemlen-5)) {
++    while (pos+5 < maxpos) {
+         short  signature;
+         unsigned char   type = 0;
+         short  length = 0;
diff --git a/debian/patches/series b/debian/patches/series
index c2cf11a..2fb5582 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,5 @@
 02_exif.c
 01_gpsinfo.c
+cve-2021-3496.patch
+invalid-IPTC-lengths.patch
+allocate-extra.patch

--- End Message ---

--- Begin Message ---

• To: Stephen Kitt <skitt@debian.org>, 987485-done@bugs.debian.org
• Subject: Re: Bug#987485: unblock: jhead/1:3.04-6
• From: Paul Gevers <elbrus@debian.org>
• Date: Sat, 24 Apr 2021 19:21:43 +0200
• Message-id: <787e5402-8d2e-5bad-3330-a562cdeca450@debian.org>
• In-reply-to: <[🔎] 161927222608.15092.15502433989513400589.reportbug@heffalump.sk2.org>
• References: <[🔎] 161927222608.15092.15502433989513400589.reportbug@heffalump.sk2.org>

Hi Stephen,

On 24-04-2021 15:50, Stephen Kitt wrote:
> Please unblock package jhead

unblocked.

Thanks

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---