Package: scalpel Version: 1.60-1 Severity: important Tags: patch The configuration in scalpel.conf for finding JPEG files is flawed. It searches for a file with a header "FF D8 FF E0 00 10" and a footer "FF D9". However, through examining files from a digital camera and files made with GIMP, I have noticed that the fourth, fifth and sixth bytes vary between images. This causes scalpel to miss many JPEG files. I have also seen JPEG files (from the digital camera) that contain "FF D9" multiple times, not just at the end of the file. This causes scalpel to truncate the file prematurely, making it unviewable. A patch is included that makes scalpel's JPEG-detection behavior more reliable.
-- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-6.dmz.1-liquorix-amd64 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages scalpel depends on: ii libc6 2.13-7 Embedded GNU C Library: Shared lib scalpel recommends no packages. scalpel suggests no packages. -- Configuration Files: /etc/scalpel/scalpel.conf changed [not included] -- no debconf information
--- scalpel.conf.old 2011-06-27 13:48:48.747884582 -0500 +++ scalpel.conf.new 2011-06-27 13:49:26.479884594 -0500 @@ -84,7 +84,8 @@ # GIF and JPG files (very common) # gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b # gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b -# jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9 +# jpg y 200000000 \xff\xd8\xff???Exif \xff\xd9 REVERSE +# jpg y 200000000 \xff\xd8\xff???JFIF \xff\xd9 REVERSE # # # PNG
--- scalpel.conf.old 2011-06-27 13:48:48.747884582 -0500 +++ scalpel.conf.new 2011-06-27 13:49:26.479884594 -0500 @@ -84,7 +84,8 @@ # GIF and JPG files (very common) # gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b # gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b -# jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9 +# jpg y 200000000 \xff\xd8\xff???Exif \xff\xd9 REVERSE +# jpg y 200000000 \xff\xd8\xff???JFIF \xff\xd9 REVERSE # # # PNG

