Bug#972617: marked as done (heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections)

Debian Bug Tracking System Sat, 24 Apr 2021 06:21:27 -0700

Your message dated Sat, 24 Apr 2021 13:18:31 +0000
with message-id <e1laib5-0009nz...@fasolo.debian.org>
and subject line Bug#972617: fixed in jhead 1:3.04-6
has caused the Debian Bug report #972617,
regarding heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
972617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972617
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: jhead
Version: 3.04-4

Bug Description

fstark@fstark-virtual-machine:~/jhead$ ./jhead
fuzz1\:id\:000015\,sig\:06\,src\:000476\,time\:412880\,op\:arith8\,pos\:31\,val\:+29
=================================================================
==957==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000efd2 at pc 0x7f6d38f94676 bp 0x7ffd0abe47d0 sp
0x7ffd0abe3f78
READ of size 4 at 0x60200000efd2 thread T0
    #0 0x7f6d38f94675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)
    #1 0x40e810 in ReadJpegSections /home/fstark/jhead/jpgfile.c:285
    #2 0x410e86 in ReadJpegSections /home/fstark/jhead/jpgfile.c:125
    #3 0x410e86 in ReadJpegFile /home/fstark/jhead/jpgfile.c:378
    #4 0x40858b in ProcessFile /home/fstark/jhead/jhead.c:905
    #5 0x402f2c in main /home/fstark/jhead/jhead.c:1756
    #6 0x7f6d3886a83f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #7 0x406708 in _start (/home/fstark/jhead/jhead+0x406708)

0x60200000efd2 is located 0 bytes to the right of 2-byte region
[0x60200000efd0,0x60200000efd2)
allocated by thread T0 here:
    #0 0x7f6d38fb5602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x40e4a8 in ReadJpegSections /home/fstark/jhead/jpgfile.c:172

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcmp
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[02]fa fa fa 02 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==957==ABORTING

poc (2)
Description: Binary data

--- End Message ---

--- Begin Message ---

Source: jhead
Source-Version: 1:3.04-6
Done: Stephen Kitt <sk...@debian.org>

We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 972...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Kitt <sk...@debian.org> (supplier of updated jhead package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 24 Apr 2021 14:59:38 +0200
Source: jhead
Architecture: source
Version: 1:3.04-6
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packa...@qa.debian.org>
Changed-By: Stephen Kitt <sk...@debian.org>
Closes: 968999 972617 986923
Changes:
 jhead (1:3.04-6) unstable; urgency=medium
 .
   * QA upload (Salzburg BSP).
   * CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
     Closes: #986923.
   * Check IPTC lengths. Closes: #968999.
   * Allocate extra room when reading JPEG sections to avoid overflows.
     Closes: #972617.
Checksums-Sha1:
 0ae3d7282a6f16af02cd3b8cd09f020bdfd1d6cb 1795 jhead_3.04-6.dsc
 106826aa215ee31a20106276ed2d8ee2710e772a 8228 jhead_3.04-6.debian.tar.xz
 ceb4569096b7c3693d793974ccf2b18f68a906be 5924 jhead_3.04-6_source.buildinfo
Checksums-Sha256:
 3d786d1e0d28c01d0f4150760da133c3edf22b898c36d65e3cf5e3911350d2a0 1795 
jhead_3.04-6.dsc
 5d7a3616bdcff435a94e5c38f96773390a3cbcca2ce092dcfe401fb8e08776fd 8228 
jhead_3.04-6.debian.tar.xz
 a0c7d766d46cab476926d6b386e854ecd2bd0155de0a6584ce548697b21a3eaf 5924 
jhead_3.04-6_source.buildinfo
Files:
 4dcb30a76ae37f0e84bf54260ef6f4fb 1795 graphics optional jhead_3.04-6.dsc
 1a2a449376706030f3e0cac8705a3fb5 8228 graphics optional 
jhead_3.04-6.debian.tar.xz
 3d3ac49429bf3ac85143c773ded4c0ac 5924 graphics optional 
jhead_3.04-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAmCEFk8ACgkQgNMC9Yht
g5w8wRAAjraN5QuHOnynFQA+579WIGCAX7KuI17ziwZh6PwiVwVTQMu6st5JXAA2
BSe+Capu5ko4nH/Hh0I7qjbLoHPUUDODaldxBhM1GuYjluqnPNwNGWpSc0iKGMgr
kKc/LkCHjvXSG7POH2xcdqJsPXJC8jkNmMiT6+FVqLFj1yGpfyv3v8alHkL/S5cj
fJqe0eS+4RAEF455oowtyImPr27INevG33Ea8C/2+aDH7dHE696CTsR7vw/o4Bmd
cdG3vwwa/8jSjNvSVAl1TK7LbpNx6ITClUUZZRK15UuYsojxQvd8FBAWp6fmG35V
mX986Z/tOIqhXDY0hf0vHSwWJOsPmM2rRgeH3p2mzw0KLt1PU5AcWN6lny2UwNRr
N9eWlOWkZwp5qU5vmztbC8pf06P6KfA539C5x6vOpYBvLRsWQTMoOoV/WToWu4l3
lY1qbRQbscckqzMXUJwmnn/SGtlfsugOxBkRhqWJFbrXLjeh5ql1Rp1Cff5y+N3k
6NSmAbAqTu50Wo1koJrxjMhLlv4H0WYCgcfAcX5DiqaWdiS+zbv2YeAXt0YnxWOt
QihN2VwvzB+eBMFd6OiSE7fvBk5JTq9CycTpBlwCA4Dk7UkQOMaiKC4/61aWelnh
JJhFGhMK5x0PmzgR/N7uOcjFUz2NO9qNWEQlz9xNUSbDcg7Dex4=
=/Q+3
-----END PGP SIGNATURE-----

--- End Message ---

Bug#972617: marked as done (heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections)

Reply via email to