jhead heap-buffer-overflow of exif.c in function Get16u
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
jhead (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Hi Ubuntu Security Team
I found an overflow error.
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
- https:/
-------
## Vendor of Product
https:/
-------
## Affected Product Code Base
libcaca 871e319 jhead version 3.06
-------
## Affected Component
affected component:jhead
-------
## Affected source code file
affected source code file(As call stack):
-> ProcessFile jhead.c:914:10
-> ReadJpegFile jpgfile.c:381:11
-> ReadJpegSections jpgfile.c:289:25
...
-> Get16u exif.c
-------
## Attack Type
jpg
-------
## Verification process and POC
### Verification steps:
1.Get the source code of jhead
Edit makefile
```
OBJ=obj
SRC=.
CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) -fsanitize=address
LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) -fsanitize=address
...
```
2.Compile the jhead
```
$ make
```
3.run jhead
```
$ ./jhead poc.jpg
```
asan info
```
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
Nonfatal Error : 'crashes/
=======
==4037677==ERROR: AddressSanitizer: heap-buffer-
READ of size 1 at 0x61a000000515 thread T0
#0 0x4ce2a9 in Get16u exif.c
#1 0x4d78c0 in ProcessCanonMak
#2 0x4d78c0 in ProcessMakerNote makernote.c:189:9
#3 0x4d0d4a in ProcessExifDir exif.c:578:13
#4 0x4d1a46 in ProcessExifDir exif.c:870:25
#5 0x4cfde3 in process_EXIF exif.c:1060:5
#6 0x4ca981 in ReadJpegSections jpgfile.c:289:25
#7 0x4cb257 in ReadJpegFile jpgfile.c:381:11
#8 0x4c6274 in ProcessFile jhead.c:914:10
#9 0x4c6274 in main jhead.c:1770:13
#10 0x7fb64aa370b2 in __libc_start_main /build/
#11 0x41c45d in _start (/home/
0x61a000000515 is located 9 bytes to the right of 1164-byte region [0x61a000000080
allocated by thread T0 here:
#0 0x494b9d in malloc (/home/
#1 0x4ca120 in ReadJpegSections jpgfile.c:175:25
#2 0x4cb257 in ReadJpegFile jpgfile.c:381:11
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x0c347fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff80a0: 00 04[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4037677==ABORTING
```
Tanks
CVE References
summary: |
- jhead overflow + jhead heap-buffer-overflow |
summary: |
- jhead heap-buffer-overflow + jhead heap-buffer-overflow of exif.c in function Get16u |
Changed in jhead (Ubuntu): | |
status: | New → Confirmed |
Issues have been assigned numbers CVE-2021-3496