Bug#908176: jhead: Buffer Overflow while running jhead

[Hanfang Zhang]

Package: jhead
Version: 1:3.00-7
Vulerability type: Buffer Overflow

An buffer overflow bug was found in jhead, which allows attackers to casue
a denial of service via a crafted JPEG file.

Components: gpsinfo.c -> ProcessGpsInfo() ->line 164
```
case TAG_GPS_ALT://BUG
    sprintf(ImageInfo.GpsAlt + 1, "%.2fm",
        ConvertAnyFormat(ValuePtr, Format));
    break;
```
Output:
```
gdb-peda$ bt
#0  0x00007ffff7739428 in __GI_raise (sig=sig@entry=0x6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff773b02a in __GI_abort () at abort.c:89
#2  0x00007ffff777b7ea in __libc_message (do_abort=do_abort@entry=0x2,
    fmt=fmt@entry=0x7ffff789349f "*** %s ***: %s terminated\n") at
../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff781d15c in __GI___fortify_fail (msg=<optimized out>,
msg@entry=0x7ffff7893430 "buffer overflow detected")
    at fortify_fail.c:37
#4  0x00007ffff781b160 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007ffff781a6c9 in _IO_str_chk_overflow (fp=<optimized out>,
c=<optimized out>) at vsprintf_chk.c:31
#6  0x00007ffff777f6b0 in __GI__IO_default_xsputn (f=0x7fffffff79b0,
data=<optimized out>, n=0x19) at genops.c:455
#7  0x00007ffff775625a in __GI___printf_fp_l (fp=fp@entry=0x7fffffff79b0,
loc=<optimized out>, info=info@entry=0x7fffffff7530,
    args=args@entry=0x7fffffff7510) at printf_fp.c:1236
#8  0x00007ffff7756bd9 in ___printf_fp (fp=fp@entry=0x7fffffff79b0,
info=info@entry=0x7fffffff7530,
    args=args@entry=0x7fffffff7510) at printf_fp.c:1257
#9  0x00007ffff77530b9 in _IO_vfprintf_internal (s=s@entry=0x7fffffff79b0,
format=<optimized out>,
    format@entry=0x40f640 "%.2fm", ap=ap@entry=0x7fffffff7ae8) at
vfprintf.c:1631
#10 0x00007ffff781a754 in ___vsprintf_chk (s=0x61659f <ImageInfo+20447>
"944473296573929042", flags=0x1, slen=0x13,
    format=0x40f640 "%.2fm", args=args@entry=0x7fffffff7ae8) at
vsprintf_chk.c:82
#11 0x00007ffff781a6ad in ___sprintf_chk (s=<optimized out>,
flags=flags@entry=0x1, slen=slen@entry=0x13,
    format=format@entry=0x40f640 "%.2fm") at sprintf_chk.c:31
#12 0x0000000000409649 in sprintf (__fmt=0x40f640 "%.2fm", __s=<optimized
out>) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
#13 ProcessGpsInfo (DirStart=<optimized out>,
OffsetBase=OffsetBase@entry=0x6182d8
"MM", ExifLength=ExifLength@entry=0x13e)
    at gpsinfo.c:164
#14 0x0000000000407980 in ProcessExifDir (DirStart=DirStart@entry=0x6182e0
"", OffsetBase=OffsetBase@entry=0x6182d8 "MM",
    ExifLength=ExifLength@entry=0x13e, NestingLevel=NestingLevel@entry=0x0)
at exif.c:867
#15 0x0000000000407b86 in process_EXIF (ExifSection=ExifSection@entry=0x6182d0
"\001FExif", length=length@entry=0x146)
    at exif.c:1035
#16 0x0000000000404ab3 in ReadJpegSections (infile=infile@entry=0x617070,
ReadMode=ReadMode@entry=READ_METADATA) at jpgfile.c:287
#17 0x0000000000404dce in ReadJpegSections (ReadMode=READ_METADATA,
infile=0x617070) at jpgfile.c:126
#18 ReadJpegFile (FileName=FileName@entry=0x7fffffffe376 "poc",
ReadMode=READ_METADATA) at jpgfile.c:375
#19 0x0000000000402ac1 in ProcessFile (FileName=0x7fffffffe376 "poc") at
jhead.c:896
#20 0x000000000040183c in main (argc=argc@entry=0x2,
argv=argv@entry=0x7fffffffdff8)
at jhead.c:1729
#21 0x00007ffff7724830 in __libc_start_main (main=0x4016b0 <main>,
argc=0x2, argv=0x7fffffffdff8, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffdfe8) at ../csu/libc-start.c:291
#22 0x0000000000402219 in _start ()

```
ConvertAnyFormat function converts ValuePtr to another data type by using
Format value. When Format value equals to 11, the ValuePtr should be
convert to double type. There is no type checking in the parameters in
sprintf function. In this case, “%.2fm” corresponds to the float type data,
ConvertAnyFormat() corresponds to the double type data. So it causes
undesirable behavior including buffer overflow.  Replacing sprintf with
snprintf may fix this bug.

poc
Description: Binary data