I'm sorry, I did not run jhead with Debian patches before. I patched it just now. But I did not see the patch file for gpsinfo.c. So this vulnerability stiil exists in gpsinfo.c(line 104). I am not sure if I missed the patch file. The poc is in the attachment.
Ludovic Rousseau <ludovic.rouss...@gmail.com> 于2018年9月5日周三 下午4:10写道: > Hello, > > Le 04/09/2018 à 09:32, Hanfang Zhang a écrit : > > Package: jhead > > Version: 3.00-7 > > > > Interger overflow while running jhead. There is an interger overflow in > exif.c line 530. When OffseVal=0xffff0014, ByteCount=0xffff, > ExifLength=0X13e, this check will be passed. So when executing strncpy > function it will lead to a segmentation fault. It may allow a remote > attacker to cause unspecified impact including denial-of-service > attack.Deatil log as follow: > > > > zhang123@ubuntu:~/Desktop/jhead-3.00$ ./jhead ./testfile > > ASAN:SIGSEGV > > ================================================================= > > ==21157==ERROR: AddressSanitizer: SEGV on unknown address 0x6130ffffde90 > (pc 0x7efd4499e900 bp 0x7fffcbe95d50 sp 0x7fffcbe954d8 T0) > > #0 0x7efd4499e8ff in strnlen > (/lib/x86_64-linux-gnu/libc.so.6+0x8b8ff) > > #1 0x7efd4505c4e2 in __interceptor_strncpy > (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x764e2) > > #2 0x40efad in ProcessExifDir > (/home/zhang123/Desktop/jhead-3.00/jhead+0x40efad) > > #3 0x410399 in process_EXIF > (/home/zhang123/Desktop/jhead-3.00/jhead+0x410399) > > #4 0x40830d in ReadJpegSections.part.0 > (/home/zhang123/Desktop/jhead-3.00/jhead+0x40830d) > > #5 0x4087dd in ReadJpegFile > (/home/zhang123/Desktop/jhead-3.00/jhead+0x4087dd) > > #6 0x4049f6 in ProcessFile > (/home/zhang123/Desktop/jhead-3.00/jhead+0x4049f6) > > #7 0x402575 in main > (/home/zhang123/Desktop/jhead-3.00/jhead+0x402575) > > #8 0x7efd4493382f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > > #9 0x403998 in _start > (/home/zhang123/Desktop/jhead-3.00/jhead+0x403998) > > > > AddressSanitizer can not provide additional info. > > SUMMARY: AddressSanitizer: SEGV ??:0 strnlen > > ==21157==ABORTING > > > > This bug was found by Hanfang Zhang at Sichuan University. Request a CVE > ID. Thanks. > > I cannot reproduce your problem using the current version of jhead. > I have: > $ jhead testfile > > Nonfatal Error : 'testfile' Illegal value pointer for tag 0132 in Exif > > Nonfatal Error : 'testfile' Illegal number format 134 for tag 0000 in Exif > > Nonfatal Error : 'testfile' Illegal number format 154 for tag 0000 in Exif > > Nonfatal Error : 'testfile' Illegally sized Exif subdirectory (1279 > entries) > > Nonfatal Error : 'testfile' Extraneous 10 padding bytes before section DB > > Nonfatal Error : 'testfile' Extraneous 28 padding bytes before section C0 > > Error : Premature end of file? > in file 'testfile' > > > But I can reproduce the crash if I rebuild jhead _without_ using the > Debian patches. > > Program received signal SIGSEGV, Segmentation fault. > __strncpy_sse2_unaligned () > at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:63 > 63 ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: Aucun fichier > ou dossier de ce type. > (gdb) bt > #0 __strncpy_sse2_unaligned () > at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:63 > #1 0x000055555555d100 in ProcessExifDir ( > DirStart=DirStart@entry=0x55555556f530 "", > OffsetBase=OffsetBase@entry=0x55555556f528 "MM", > ExifLength=ExifLength@entry=318, NestingLevel=NestingLevel@entry=0) > at exif.c:634 > #2 0x000055555555d741 in process_EXIF ( > ExifSection=0x55555556f520 "\001FExif", length=326) at exif.c:1034 > #3 0x000055555555a82a in ReadJpegSections ( > infile=infile@entry=0x55555556e2c0, ReadMode=ReadMode@entry > =READ_METADATA) > at jpgfile.c:287 > #4 0x000055555555ab06 in ReadJpegSections (ReadMode=READ_METADATA, > infile=0x55555556e2c0) at jpgfile.c:355 > #5 ReadJpegFile (FileName=0x7fffffffe253 "/home/rousseau/testfile", > ReadMode=READ_METADATA) at jpgfile.c:375 > #6 0x0000555555558861 in ProcessFile ( > FileName=0x7fffffffe253 "/home/rousseau/testfile") at jhead.c:896 > #7 0x000055555555769c in main (argc=<optimized out>, argv=0x7fffffffdf28) > at jhead.c:1730 > (gdb) > > I think the problem you are reporting is known as CVE-2016-3822 and has > already been fixed for Debian in > https://sources.debian.org/src/jhead/1:3.00-7/debian/patches/31_CVE-2016-3822/ > for jhead version 1:3.00-4 > > If you think I am wrong please comment on this bug report and I will > reopen it. > > Regards, > > -- > Dr. Ludovic Rousseau >
poc
Description: Binary data
