Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hello, Some CVE were reported for jhead. I talked to Debian security team. The security issues are not critical and Salvatore Bonaccorso proposed to update the package in stable using stretch-pu instead of the security team. The issues are already fixed in Debian unstable. I just reused the patches (from debian/patches/) for stretch-pu. changes: * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088 * d/p/33_fix_908176: Fix CVE-2018-16554 * d/p/34_buffer_overflow: Fix heap buffer overflow -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru jhead-3.00/debian/changelog jhead-3.00/debian/changelog --- jhead-3.00/debian/changelog 2017-03-20 19:26:16.000000000 +0000 +++ jhead-3.00/debian/changelog 2018-10-16 08:38:19.000000000 +0000 @@ -1,3 +1,11 @@ +jhead (1:3.00-4.1) stable; urgency=high + + * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088 + * d/p/33_fix_908176: Fix CVE-2018-16554 + * d/p/34_buffer_overflow: Fix heap buffer overflow + + -- Ludovic Rousseau <rouss...@debian.org> Tue, 16 Oct 2018 10:38:19 +0200 + jhead (1:3.00-4) unstable; urgency=medium * Fix "CVE-2016-3822" Apply patch from Google (Closes: #858213) diff -Nru jhead-3.00/debian/patches/32_crash_in_gpsinfo jhead-3.00/debian/patches/32_crash_in_gpsinfo --- jhead-3.00/debian/patches/32_crash_in_gpsinfo 1970-01-01 00:00:00.000000000 +0000 +++ jhead-3.00/debian/patches/32_crash_in_gpsinfo 2018-10-16 08:33:06.000000000 +0000 @@ -0,0 +1,26 @@ +From: Ludovic Rousseau <rouss...@debian.org> +Date: Wed Sep 5 15:32:00 CEST 2018 +Subject: Fix heap buffer overflow + +Bug-Debian: http://bugs.debian.org/907925 +Description: Fix CVE-2018-17088 + +--- a/gpsinfo.c ++++ b/gpsinfo.c +@@ -4,6 +4,7 @@ + // Matthias Wandel, Dec 1999 - Dec 2002 + //-------------------------------------------------------------------------- + #include "jhead.h" ++#include <stdint.h> + + #define MAX_GPS_TAG 0x1e + +@@ -101,7 +102,7 @@ + unsigned OffsetVal; + OffsetVal = Get32u(DirEntry+8); + // If its bigger than 4 bytes, the dir entry contains an offset. +- if (OffsetVal+ByteCount > ExifLength){ ++ if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ + // Bogus pointer offset and / or bytecount value + ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0); + continue; diff -Nru jhead-3.00/debian/patches/33_fix_908176 jhead-3.00/debian/patches/33_fix_908176 --- jhead-3.00/debian/patches/33_fix_908176 1970-01-01 00:00:00.000000000 +0000 +++ jhead-3.00/debian/patches/33_fix_908176 2018-10-16 08:35:19.000000000 +0000 @@ -0,0 +1,19 @@ +From: Ludovic Rousseau <rouss...@debian.org> +Date: Sat Sep 8 16:19:07 CEST 2018 +Subject: fix heap buffer overflow + +Bug-Debian: https://bugs.debian.org/908176 +Description: Fix CVE-2018-16554 + +--- a/gpsinfo.c ++++ b/gpsinfo.c +@@ -162,7 +162,8 @@ + break; + + case TAG_GPS_ALT: +- sprintf(ImageInfo.GpsAlt + 1, "%.2fm", ++ snprintf(ImageInfo.GpsAlt + 1, sizeof(ImageInfo.GpsAlt) -1, ++ "%.2fm", + ConvertAnyFormat(ValuePtr, Format)); + break; + } diff -Nru jhead-3.00/debian/patches/34_buffer_overflow jhead-3.00/debian/patches/34_buffer_overflow --- jhead-3.00/debian/patches/34_buffer_overflow 1970-01-01 00:00:00.000000000 +0000 +++ jhead-3.00/debian/patches/34_buffer_overflow 2018-10-16 08:36:45.000000000 +0000 @@ -0,0 +1,15 @@ +From: Ludovic Rousseau <rouss...@debian.org> +Date: Sat Sep 8 16:02:23 CEST 2018 +Subject: Fix heap buffer overflow + +--- a/jhead.c ++++ b/jhead.c +@@ -670,7 +670,7 @@ + NameExtra[0] = 0; + } + +- sprintf(NewName, "%s%s.jpg", NewBaseName, NameExtra); ++ snprintf(NewName, sizeof(NewName), "%s%s.jpg", NewBaseName, NameExtra); + + if (!strcmp(FileName, NewName)) break; // Skip if its already this name. + diff -Nru jhead-3.00/debian/patches/series jhead-3.00/debian/patches/series --- jhead-3.00/debian/patches/series 2017-03-20 19:26:16.000000000 +0000 +++ jhead-3.00/debian/patches/series 2018-10-16 08:37:07.000000000 +0000 @@ -5,3 +5,6 @@ 25_makefile 27_documentation 31_CVE-2016-3822 +32_crash_in_gpsinfo +33_fix_908176 +34_buffer_overflow