Bug#779525: marked as done (exifprobe: double free or corruption)

[Debian Bug Tracking System]

Your message dated Fri, 29 May 2015 04:21:14 +0000
with message-id <e1yybng-0002qb...@franck.debian.org>
and subject line Bug#779525: fixed in exifprobe 2.0.1-6
has caused the Debian Bug report #779525,
regarding exifprobe: double free or corruption
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
779525: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779525
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: exifprobe
Version: 2.0.1-3
Severity: important
Tags: security

Following attached sample file crashes exifprobe. Sample file is fuzzed with
american fuzzy lop <http://lcamtuf.coredump.cx/afl/>.

00000000  ff d8 ff e0 00 12 4a 46  58 58 00 10 ff c7 00 08  |......JFXX......|
00000010  3e 46 58 58 00 f5 c6 31                           |>FXX...1|
00000018

GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
(gdb) file exifprobe
Reading symbols from exifprobe-2.0.1/exifprobe...done.
(gdb) run -c sample.jpg
Starting program: exifprobe-2.0.1/exifprobe -c sample.jpg
File Name = sample.jpg
File Type = JPEG
File Size = 24
@000000000=0       :  <JPEG_SOI>
@0x0000002=2       :    <JPEG_APP0> 0xffe0 length 18, 'JFXX'
@0x000000b=11      :       extension code 0x10 - JPEG thumbnail
@0x000000c=12      :        <JPEG_SOF_7> length 8, 62 bits/sample, 
components=245, width=22528, height=18008
@0x0000016=22      :        <ChromaBlurRadius> INVALID JPEG TAG
@0x0000015=21      :      #### End of JPEG thumbnail data for APP0, length 10 
####
@0x0000015=21      :    </JPEG_APP0>
@0x0000016=22      :    <ChromaBlurRadius> INVALID JPEG TAG
-0x0000017=23      :  END OF FILE
@000000000=0       :  Start of JPEG (UNKNOWN JPEG compression) primary image 
[0x0] length 0 (APP0 JFXX) (CORRUPTED) (no image)
@0x000000c=12      :  Start of JPEG differential lossless Huffman 
reduced-resolution image [22528x18008] length 10 (NO SOI)
-0x0000015=21      :    End of JPEG reduced-resolution image data
Number of images = 2
Images not found = 2
File Format = JPEG/APP0/JFXX
*** glibc detected *** exifprobe-2.0.1/exifprobe: double free or corruption 
(!prev): 0x00000000007593a0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x75be6)[0x7ffff7845be6]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7ffff784a98c]
exifprobe-2.0.1/exifprobe[0x43affb]
exifprobe-2.0.1/exifprobe[0x401e54]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7ffff77eeead]
exifprobe-2.0.1/exifprobe[0x403289]
======= Memory map: ========
00400000-00553000 r-xp 00000000 08:06 5767486                            
exifprobe-2.0.1/exifprobe
00752000-00754000 rw-p 00152000 08:06 5767486                            
exifprobe-2.0.1/exifprobe
00754000-0077a000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff75ba000-7ffff75cf000 r-xp 00000000 08:01 48883                      
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff75cf000-7ffff77cf000 ---p 00015000 08:01 48883                      
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff77cf000-7ffff77d0000 rw-p 00015000 08:01 48883                      
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff77d0000-7ffff7951000 r-xp 00000000 08:01 15673                      
/lib/x86_64-linux-gnu/libc-2.13.so
7ffff7951000-7ffff7b51000 ---p 00181000 08:01 15673                      
/lib/x86_64-linux-gnu/libc-2.13.so
7ffff7b51000-7ffff7b55000 r--p 00181000 08:01 15673                      
/lib/x86_64-linux-gnu/libc-2.13.so
7ffff7b55000-7ffff7b56000 rw-p 00185000 08:01 15673                      
/lib/x86_64-linux-gnu/libc-2.13.so
7ffff7b56000-7ffff7b5b000 rw-p 00000000 00:00 0 
7ffff7b5b000-7ffff7bdc000 r-xp 00000000 08:01 10443                      
/lib/x86_64-linux-gnu/libm-2.13.so
7ffff7bdc000-7ffff7ddb000 ---p 00081000 08:01 10443                      
/lib/x86_64-linux-gnu/libm-2.13.so
7ffff7ddb000-7ffff7ddc000 r--p 00080000 08:01 10443                      
/lib/x86_64-linux-gnu/libm-2.13.so
7ffff7ddc000-7ffff7ddd000 rw-p 00081000 08:01 10443                      
/lib/x86_64-linux-gnu/libm-2.13.so
7ffff7ddd000-7ffff7dfd000 r-xp 00000000 08:01 37341                      
/lib/x86_64-linux-gnu/ld-2.13.so
7ffff7fd9000-7ffff7fdc000 rw-p 00000000 00:00 0 
7ffff7ff7000-7ffff7ffb000 rw-p 00000000 00:00 0 
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 0001f000 08:01 37341                      
/lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffd000-7ffff7ffe000 rw-p 00020000 08:01 37341                      
/lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7802165 in *__GI_raise (sig=<optimized out>) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt full
#0  0x00007ffff7802165 in *__GI_raise (sig=<optimized out>) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:64
        pid = <optimized out>
        selftid = <optimized out>
#1  0x00007ffff78053e0 in *__GI_abort () at abort.c:92
        act = {__sigaction_handler = {sa_handler = 0x7fffffffdf18, sa_sigaction 
= 0x7fffffffdf18}, sa_mask = {__val = {140737488346880, 140737488350391, 44, 
140737346920731, 3, 140737488346890, 6, 140737346920735, 2, 140737488346878, 2, 
140737346911721, 1, 140737346920731, 3, 140737488346884}}, sa_flags = 12, 
          sa_restorer = 0x7ffff791e11f}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007ffff783c39b in __libc_message (do_abort=<optimized out>, 
fmt=<optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
        ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 
0x7fffffffe880, reg_save_area = 0x7fffffffe790}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 
0x7fffffffe880, reg_save_area = 0x7fffffffe790}}
        fd = 8
        on_2 = <optimized out>
        list = <optimized out>
        nlist = 0
        cp = <optimized out>
        written = false
#3  0x00007ffff7845be6 in malloc_printerr (action=3, str=0x7ffff7920270 "double 
free or corruption (!prev)", ptr=<optimized out>) at malloc.c:6312
        buf = "00000000007593a0"
        cp = 0x7ffff7915e40 "0123456789abcdefghijklmnopqrstuvwxyz"
#4  0x00007ffff784a98c in *__GI___libc_free (mem=<optimized out>) at 
malloc.c:3738
        ar_ptr = 0x7ffff7b56e40
        p = 0x6
#5  0x000000000043affb in destroy_summary (summary_entry=0x7593a0) at 
process.c:1704
        prev_entry = 0x759250
#6  0x0000000000401e54 in main (argc=<optimized out>, argv=0x7fffffffea70) at 
main.c:322
        file = 0x7fffffffece7 "sample.jpg"
        name = <optimized out>
        inptr = 0x759010
        status = 8
        max_offset = <optimized out>
        ifd_offset = <optimized out>
        dumplength = <optimized out>
        header = <optimized out>
        summary_entry = 0x759250
        filesize = 24
        chpr = <optimized out>
#7  0x00007ffff77eeead in __libc_start_main (main=<optimized out>, 
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, 
fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffea48) at 
libc-start.c:244
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -3639622040855898393, 
4207200, 140737488349776, 0, 0, 3639622040104343271, 3639640723441719015}, 
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x53dc90, 0x7fffffffea58}, data 
= {prev = 0x0, cleanup = 0x0, canceltype = 5495952}}}
        not_first_call = <optimized out>
#8  0x0000000000403289 in _start ()
No symbol table info available.

-- 
Henri Salo

--- End Message ---

--- Begin Message ---

Source: exifprobe
Source-Version: 2.0.1-6

We believe that the bug you reported is fixed in the latest version of
exifprobe, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 779...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joao Eriberto Mota Filho <eribe...@debian.org> (supplier of updated exifprobe 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 28 May 2015 18:58:35 -0300
Source: exifprobe
Binary: exifprobe
Architecture: source amd64
Version: 2.0.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Forensics <forensics-devel@lists.alioth.debian.org>
Changed-By: Joao Eriberto Mota Filho <eribe...@debian.org>
Description:
 exifprobe  - read metadata from digital pictures
Closes: 779525 779527
Changes:
 exifprobe (2.0.1-6) unstable; urgency=medium
 .
   * Upload to unstable.
   * debian/control: added the Homepage field.
   * debian/patches/fix-issues-found-by-afl: added to fix some issues detected
       by AFL. (Closes: #779525, #779527)
   * debian/watch: pointing to new upstream site.
Checksums-Sha1:
 267a0e85450ba6e5081d4cd292aca0c6bd5a125f 1928 exifprobe_2.0.1-6.dsc
 ba5184c3e922721f66646c0dd2c59718e484be97 6928 exifprobe_2.0.1-6.debian.tar.xz
 2f93c9d44944d4289c34c2e296832dd16a1b627f 166992 exifprobe_2.0.1-6_amd64.deb
Checksums-Sha256:
 3003cd6e630378663b48b3f5269736aec43789d5e594178eefe2fab4e296454e 1928 
exifprobe_2.0.1-6.dsc
 b93d04a6be5a5ebf72ec6bd4e88e38ec9a9cf67abcff694323db8babb4c7c6e8 6928 
exifprobe_2.0.1-6.debian.tar.xz
 7c1e9e3e10e93e44f1b31ddc4b5697fe73609ee2906184ad9fd7e0cd86b5466e 166992 
exifprobe_2.0.1-6_amd64.deb
Files:
 45511bcd85df011c5424e7cc2ec3b67d 1928 graphics optional exifprobe_2.0.1-6.dsc
 367fb400b3da5462b7724f91b1c2a599 6928 graphics optional 
exifprobe_2.0.1-6.debian.tar.xz
 d2c716a8a52089f46a65ddd5a7a59ccc 166992 graphics optional 
exifprobe_2.0.1-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVZ95LAAoJEN5juccE6+nvZoQP/1HM9yTybniKIfeFzlpuYHrw
lI3RpWCShIXGVI2kMGzzBTdRMr3vlwoEG3ZxwjYjBtA4uN3caG3vOLGbs1evw0HD
lkuoBWETblfEQ0/WknRS9lpbkQHwNIsB97rTivplG/PPy20Vzfe6nFXZHCLXc7Kf
+Wx4W/FUYDqRcC8831l+/vy/7fAVojbhozFa21FEkIN9kg0rRU02qXagfxlrZ1Lm
JlhIwQFewgYIeuWE7N5vfvOFAdklknxR9fMWfB0cupTjR4OLBp5+XHPC7gPG1Clt
2lLibnHkSJpL9hVvtK4wXbi3VraglDpOrxy6JwTnWgjzeBE0IA2q3oGIxYX3h6b/
qR8Dz0jhglidxt/TURhL80PJqPZ4lSO/+g6b+3wmSii4nL3rpFZyzgZbBdX5ybEO
HoYsC7L9r2pAmhHBCtqQDxPhEBs3WHDQrDrjBmx9Y+KmF6ld73k8rnnc9K6mKvPz
Xq0vZ/6uaBgT4unrBtxV8nY6mxhQLEzVBs3z9jrlTAb0n+L/yVu/aypqcC19s8b/
lWs1IyvzqE26nokHtPvD2zV3nhGzusRoJs03Hv9zQbRlN9UWz+E1H9mdllBguZsT
rs5vgP7SHxgsuJuBNwNmnLFReAOVOVo8Uo9zo6r5fSK1s+LwcvTOWYWSorm4/d4Y
bIApbahACtLExRoZSiVI
=4mH/
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel