Ubuntu

jhead: multiple security vulnerabilities

Reported by Marc MERLIN on 2008-09-16
278
Affects Status Importance Assigned to Milestone
jhead (Ubuntu)
High
Unassigned
Dapper
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
High
Unassigned

Bug Description

jhead -cmd fails when your filenames and resulting command line is too long:

Before:jhead -cmd '/usr/local/Rig/rig/thumbnail/rig_thumbnail.exe -r &i &o 100 70' /home/merlin/rig3/blog/cat/diving/Pix/rig-cache/20080824_French_Polynesia/20080830_Rangiroa/Day8-2_Rangiroa-Tiputa_Pass/BestOf/prev100_129_Day8-2_Rangiroa-Tiputa_Pass.jpg
Cmd:/usr/local/Rig/rig/thumbnail/rig_thumbnail.exe -r "/home/merlin/rig3/blog/cat/diving/Pix/rig-cache/20080824_French_Polynesia/20080830_Rangiroa/Day8-2_Rangiroa-Tiputa_Pass/BestOf/prev100_129_Day8-2_Rangiroa-Tiputa_Pass.jpg" "/home/merlin/rig3/blog/cat/diving/Pix/rig-cache/20080824_French_Polynesia/20080830_Rangiroa/Day8-2_Rangiroa-Tiputa_Pass/BestOf/prev100_129_Day8-2_Rangiroa-Tiputa_Pass.jpt" 100 70
<init> : Avifile RELEASE-0.7.47-080115-14:47-4.2.3
<init> : Available CPU flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts pni monitor ds_cpl vmx est tm
<init> : 1000.00 MHz Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz processor detected
Error : specified command did not produce expected output file <<<<<<<<<<<<<<<<<<<<<<<<<
in file '/home/merlin/rig3/blog/cat/diving/Pix/rig-cache/20080824_French_Polynesia/20080830_Rangiroa/Day8-2_Rangiroa-Tiputa_Pass/BestOf/prev100_129_Day8-2_Rangiroa-Tiputa_Pass.jpg'

After:
gandalf:/var/tmp/jhead-2.80# ./jhead -cmd '/usr/local/Rig/rig/thumbnail/rig_thumbnail.exe -r &i &o 100 70' /home/merlin/rig3/blog/cat/diving/Pix/rig-cache/20080824_French_Polynesia/20080830_Rangiroa/Day8-2_Rangiroa-Tiputa_Pass/BestOf/prev100_129_Day8-2_Rangiroa-Tiputa_Pass.jpg
Cmd:/usr/local/Rig/rig/thumbnail/rig_thumbnail.exe -r "/home/merlin/rig3/blog/cat/diving/Pix/rig-cache/20080824_French_Polynesia/20080830_Rangiroa/Day8-2_Rangiroa-Tiputa_Pass/BestOf/prev100_129_Day8-2_Rangiroa-Tiputa_Pass.jpg" "/home/merlin/rig3/blog/cat/diving/Pix/rig-cache/20080824_French_Polynesia/20080830_Rangiroa/Day8-2_Rangiroa-Tiputa_Pass/BestOf/prev100_129_Day8-2_Rangiroa-Tiputa_Pass.jpt" 100 70
<init> : Avifile RELEASE-0.7.47-080115-14:47-4.2.3
<init> : Available CPU flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts pni monitor ds_cpl vmx est tm
<init> : 1000.00 MHz Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz processor detected
Modified: /home/merlin/rig3/blog/cat/diving/Pix/rig-cache/20080824_French_Polynesia/20080830_Rangiroa/Day8-2_Rangiroa-Tiputa_Pass/BestOf/prev100_129_Day8-2_Rangiroa-Tiputa_Pass.jpg

Diff is trivial:
gandalf:/var/tmp/jhead-2.80# diff -u jhead.c.orig jhead.c
--- jhead.c.orig 2008-09-16 11:00:16.000000000 -0700
+++ jhead.c 2008-09-16 11:00:23.000000000 -0700
@@ -298,8 +298,8 @@
 static void DoCommand(const char * FileName, int ShowIt)
 {
     int a,e;
- char ExecString[400];
- char TempName[200];
+ char ExecString[64000];
+ char TempName[32000];
     int TempUsed = FALSE;

     e = 0;

Marc MERLIN (marc-soft) wrote :
John Dong (jdong) wrote :

Using an extremely long -cmd leads to stack protector being tripped. The ExecString and TempName should probably be dynamically allocated based on the strlen of the command.

---

*** stack smashing detected ***: jhead terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7ee5138]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7ee50f0]
jhead[0x804944a]
[0x20202020]
======= Memory map: ========
08048000-08056000 r-xp 00000000 fe:00 33760719 /usr/bin/jhead
08056000-08057000 rw-p 0000e000 fe:00 33760719 /usr/bin/jhead
08057000-08079000 rw-p 08057000 00:00 0 [heap]
b7df7000-b7df8000 rw-p b7df7000 00:00 0
b7df8000-b7f41000 r-xp 00000000 fe:00 51342253 /lib/tls/i686/cmov/libc-2.7.so
b7f41000-b7f42000 r--p 00149000 fe:00 51342253 /lib/tls/i686/cmov/libc-2.7.so
b7f42000-b7f44000 rw-p 0014a000 fe:00 51342253 /lib/tls/i686/cmov/libc-2.7.so
b7f44000-b7f47000 rw-p b7f44000 00:00 0
b7f47000-b7f6a000 r-xp 00000000 fe:00 51342261 /lib/tls/i686/cmov/libm-2.7.so
b7f6a000-b7f6c000 rw-p 00023000 fe:00 51342261 /lib/tls/i686/cmov/libm-2.7.so
b7f87000-b7f91000 r-xp 00000000 fe:00 125830164 /lib/libgcc_s.so.1
b7f91000-b7f92000 rw-p 0000a000 fe:00 125830164 /lib/libgcc_s.so.1
b7f92000-b7f95000 rw-p b7f92000 00:00 0
b7f95000-b7f96000 r-xp b7f95000 00:00 0 [vdso]
b7f96000-b7fb0000 r-xp 00000000 fe:00 125830168 /lib/ld-2.7.so
b7fb0000-b7fb2000 rw-p 00019000 fe:00 125830168 /lib/ld-2.7.so
bfa5d000-bfa72000 rw-p bffeb000 00:00 0 [stack]

Changed in jhead:
status: New → Confirmed
John Dong (jdong) wrote :

I'd also like to point out that from a simple glance at jhead.c there are plenty of other security issues present, including unsafe temp file creation, other routines calling DoCommand, more unchecked buffers, shell escapes, unsafe buffer sized strcat's in ModifyDescriptComment, and so on. This whole codebase needs a review/rewrite.

Jamie Strandboge (jdstrand) wrote :

As bug has security implications and upstream has not been contacted yet, I have unsubscribed ubuntu-bugs, subscribed ubuntu-security and jdong. John will contact upstream. Please make public when appropriate. Thanks for your work on this!

Michael Bienia (geser) wrote :

Unsubscribing ubuntu-universe-sponsors for now as the current patch doesn't really fix the problem (it's only a bandaid).

John Dong (jdong) wrote :

I've notified upstream and he has responded, acknowledging these and other issues I saw from a quick scan through of the code. He plans to fix them in the coming week or two and roll a new release.

Michael Bienia (geser) wrote :

jhead 2.84 got released this month fixing the security issues. I had only a quick look at the diff and didn't check yet if all security issues are really fixed.
It would be good if someone could check the new version and preferable get it also into intrepid.

John Dong (jdong) wrote :

Archive Admins: Please sync jhead 2.84-1 from Sid for Intrepid. I have locally tested and verified build, install, and update from old packages.

Thanks.

Changed in jhead:
importance: Undecided → High
Scott Kitterman (kitterman) wrote :

Ack from motu-release.

Steve Langasek (vorlon) wrote :

[Updating] jhead (2.82-1 [Ubuntu] < 2.84-1 [Debian])
 * Trying to add jhead...
  - <jhead_2.84-1.dsc: downloading from http://ftp.debian.org/debian/>
  - <jhead_2.84.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
  - <jhead_2.84-1.diff.gz: downloading from http://ftp.debian.org/debian/>
I: jhead [universe] -> jhead_2.82-1 [universe].

Changed in jhead:
status: New → Fix Released
Steve Langasek (vorlon) wrote :

[Updating] jhead (2.82-1 [Ubuntu] < 2.84-1 [Debian])
 * Trying to add jhead...
  - <jhead_2.84-1.dsc: cached>
  - <jhead_2.84.orig.tar.gz: cached>
  - <jhead_2.84-1.diff.gz: cached>
I: jhead [universe] -> jhead_2.82-1 [universe].

Changed in jhead:
status: New → Fix Released
Steve Langasek (vorlon) wrote :

whoops, script misfire. Still applies to dapper and gutsy, reopening.

Changed in jhead:
status: Confirmed → Fix Released
status: Fix Released → New
status: Fix Released → New
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in jhead (Ubuntu Gutsy):
status: New → Won't Fix
Marc MERLIN (marc-soft) wrote :

Considering dapper & hardy are LTS, could the fixed package go in at least those two since it's a security issue?

Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Changed in jhead (Ubuntu Hardy):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in jhead (Ubuntu Hardy):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in jhead (Ubuntu Dapper):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Patches