Segmentation fault of incomplete fix issue

Bug #1838251 reported by Doudou Huang
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
jhead (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

There is a segmentation fault related to the incomplete fix of CVE-2018-16554 in jhead 3.03.

The system information is:
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
gcc: 5.4

To reproduce the crash, just run:
./jhead Poc

Here is the trace reported by ASAN:
ASAN:SIGSEGV
=================================================================
==134520==ERROR: AddressSanitizer: SEGV on unknown address 0x6130fa00dfa9 (pc 0x00000042cae0 bp 0x000000000001 sp 0x7ffdf0897270 T0)
    #0 0x42cadf in ProcessGpsInfo /mnt/data/playground/jhead-3.03-a/gpsinfo.c:121
    #1 0x423e6a in ProcessExifDir /mnt/data/playground/jhead-3.03-a/exif.c:866
    #2 0x423c62 in ProcessExifDir /mnt/data/playground/jhead-3.03-a/exif.c:852
    #3 0x423c62 in ProcessExifDir /mnt/data/playground/jhead-3.03-a/exif.c:852
    #4 0x423c62 in ProcessExifDir /mnt/data/playground/jhead-3.03-a/exif.c:852
    #5 0x41fc8f in ProcessExifDir /mnt/data/playground/jhead-3.03-a/exif.c:936
    #6 0x4252bd in process_EXIF /mnt/data/playground/jhead-3.03-a/exif.c:1041
    #7 0x4107ec in ReadJpegSections /mnt/data/playground/jhead-3.03-a/jpgfile.c:287
    #8 0x411b25 in ReadJpegSections /mnt/data/playground/jhead-3.03-a/jpgfile.c:126
    #9 0x411b25 in ReadJpegFile /mnt/data/playground/jhead-3.03-a/jpgfile.c:375
    #10 0x408dd7 in ProcessFile /mnt/data/playground/jhead-3.03-a/jhead.c:905
    #11 0x402f74 in main /mnt/data/playground/jhead-3.03-a/jhead.c:1757
    #12 0x7f9616ba182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x406d58 in _start (/mnt/data/playground/jhead-3.03-a/jhead+0x406d58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /mnt/data/playground/jhead-3.03-a/gpsinfo.c:121 ProcessGpsInfo
==134520==ABORTING

CVE References

Revision history for this message
Doudou Huang (tinywhite) wrote :
Revision history for this message
Mike Salvatore (mikesalvatore) wrote :

Hi Doudou,

Thanks for reporting this. Have you reported this to the upstream developer yet? Additionally, is it possible that this is related to https://bugzilla.redhat.com/show_bug.cgi?id=1679952? That bug has been assigned CVE-2019-1010301.

Revision history for this message
Doudou Huang (tinywhite) wrote :

I had reported to the upstream developer and he has not responded yet.

I think it is related, but the two crashes have different execution paths.

Moreover, that bug is in jhead 3.00 version.

I think this may be an incomplete fix or a new bug.

Revision history for this message
Mike Salvatore (mikesalvatore) wrote :

I've rebuilt the 3.00 packages in xenial and bionic, as well as the 3.03 package in eoan with AddressSanitizer, and I've been unable to reproduce this. Can you share any other information that might help me reproduce this, such as the makefile or any other compile-time options you're using? Are you using a 32-bit system?

Revision history for this message
Doudou Huang (tinywhite) wrote :

The input may be damaged when I download from the server so I upload a new one.

I compile the project with the flag:
 -O3 -Wall -c

I can reproduce the crash here.

Revision history for this message
Mike Salvatore (mikesalvatore) wrote :

It looks like the attached patch is mitigating the issue. This patch has already been applied to xenial, bionic, disco, and eoan, which is why I was unable to reproduce the issue.

Revision history for this message
Doudou Huang (tinywhite) wrote :

Ok, I cannot trigger after the patch too.

Then I think this is the same issue as the CVE-2019-1010301.

Revision history for this message
Mike Salvatore (mikesalvatore) wrote :

This bug describes errors in the upstream version of the software, not the version packaged with Ubuntu.

Changed in jhead (Ubuntu):
status: New → Invalid
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.