jhead: multiple security vulnerabilities
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | jhead (Ubuntu) |
High
|
Unassigned | ||
| | Dapper |
Undecided
|
Unassigned | ||
| | Gutsy |
Undecided
|
Unassigned | ||
| | Hardy |
Undecided
|
Unassigned | ||
| | Intrepid |
High
|
Unassigned | ||
Bug Description
jhead -cmd fails when your filenames and resulting command line is too long:
Before:jhead -cmd '/usr/local/
Cmd:/usr/
<init> : Avifile RELEASE-
<init> : Available CPU flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts pni monitor ds_cpl vmx est tm
<init> : 1000.00 MHz Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz processor detected
Error : specified command did not produce expected output file <<<<<<<
in file '/home/
After:
gandalf:
Cmd:/usr/
<init> : Avifile RELEASE-
<init> : Available CPU flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts pni monitor ds_cpl vmx est tm
<init> : 1000.00 MHz Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz processor detected
Modified: /home/merlin/
Diff is trivial:
gandalf:
--- jhead.c.orig 2008-09-16 11:00:16.000000000 -0700
+++ jhead.c 2008-09-16 11:00:23.000000000 -0700
@@ -298,8 +298,8 @@
static void DoCommand(const char * FileName, int ShowIt)
{
int a,e;
- char ExecString[400];
- char TempName[200];
+ char ExecString[64000];
+ char TempName[32000];
int TempUsed = FALSE;
e = 0;
| Marc MERLIN (marc-soft) wrote : | #1 |
| John Dong (jdong) wrote : | #3 |
I'd also like to point out that from a simple glance at jhead.c there are plenty of other security issues present, including unsafe temp file creation, other routines calling DoCommand, more unchecked buffers, shell escapes, unsafe buffer sized strcat's in ModifyDescriptC
| Jamie Strandboge (jdstrand) wrote : | #4 |
As bug has security implications and upstream has not been contacted yet, I have unsubscribed ubuntu-bugs, subscribed ubuntu-security and jdong. John will contact upstream. Please make public when appropriate. Thanks for your work on this!
| Michael Bienia (geser) wrote : | #5 |
Unsubscribing ubuntu-
| John Dong (jdong) wrote : | #6 |
I've notified upstream and he has responded, acknowledging these and other issues I saw from a quick scan through of the code. He plans to fix them in the coming week or two and roll a new release.
| Michael Bienia (geser) wrote : | #7 |
jhead 2.84 got released this month fixing the security issues. I had only a quick look at the diff and didn't check yet if all security issues are really fixed.
It would be good if someone could check the new version and preferable get it also into intrepid.
| Jamie Strandboge (jdstrand) wrote : | #8 |
2.84 released:
http://
http://
Marking public.
| John Dong (jdong) wrote : | #9 |
Archive Admins: Please sync jhead 2.84-1 from Sid for Intrepid. I have locally tested and verified build, install, and update from old packages.
Thanks.
| Changed in jhead: | |
| importance: | Undecided → High |
| Scott Kitterman (kitterman) wrote : | #10 |
Ack from motu-release.
| Steve Langasek (vorlon) wrote : | #11 |
[Updating] jhead (2.82-1 [Ubuntu] < 2.84-1 [Debian])
* Trying to add jhead...
- <jhead_2.84-1.dsc: downloading from http://
- <jhead_
- <jhead_
I: jhead [universe] -> jhead_2.82-1 [universe].
| Changed in jhead: | |
| status: | New → Fix Released |
| Steve Langasek (vorlon) wrote : | #13 |
[Updating] jhead (2.82-1 [Ubuntu] < 2.84-1 [Debian])
* Trying to add jhead...
- <jhead_2.84-1.dsc: cached>
- <jhead_
- <jhead_
I: jhead [universe] -> jhead_2.82-1 [universe].
| Changed in jhead: | |
| status: | New → Fix Released |
| Steve Langasek (vorlon) wrote : | #14 |
whoops, script misfire. Still applies to dapper and gutsy, reopening.
| Changed in jhead: | |
| status: | Confirmed → Fix Released |
| status: | Fix Released → New |
| status: | Fix Released → New |
| Sergio Zanchetta (primes2h) wrote : | #15 |
The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://
Gutsy task.
| Changed in jhead (Ubuntu Gutsy): | |
| status: | New → Won't Fix |
| Marc MERLIN (marc-soft) wrote : | #16 |
Considering dapper & hardy are LTS, could the fixed package go in at least those two since it's a security issue?
| Jamie Strandboge (jdstrand) wrote : | #17 |
Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. If you are able, perhaps you could prepare debdiffs to fix this by following https:/
| Changed in jhead (Ubuntu Hardy): | |
| status: | New → Confirmed |
| Jamie Strandboge (jdstrand) wrote : | #18 |
Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/
Please feel free to report any other bugs you may find.
| Changed in jhead (Ubuntu Hardy): | |
| status: | Confirmed → Won't Fix |
| Jamie Strandboge (jdstrand) wrote : | #19 |
Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https:/
releases.
Please feel free to report any other bugs you may find.
| Changed in jhead (Ubuntu Dapper): | |
| status: | New → Won't Fix |
Using an extremely long -cmd leads to stack protector being tripped. The ExecString and TempName should probably be dynamically allocated based on the strlen of the command.
---
*** stack smashing detected ***: jhead terminated
======= Backtrace: =========
/lib/tls/
/lib/tls/
jhead[0x804944a]
[0x20202020]
======= Memory map: ========
08048000-08056000 r-xp 00000000 fe:00 33760719 /usr/bin/jhead
08056000-08057000 rw-p 0000e000 fe:00 33760719 /usr/bin/jhead
08057000-08079000 rw-p 08057000 00:00 0 [heap]
b7df7000-b7df8000 rw-p b7df7000 00:00 0
b7df8000-b7f41000 r-xp 00000000 fe:00 51342253 /lib/tls/
b7f41000-b7f42000 r--p 00149000 fe:00 51342253 /lib/tls/
b7f42000-b7f44000 rw-p 0014a000 fe:00 51342253 /lib/tls/
b7f44000-b7f47000 rw-p b7f44000 00:00 0
b7f47000-b7f6a000 r-xp 00000000 fe:00 51342261 /lib/tls/
b7f6a000-b7f6c000 rw-p 00023000 fe:00 51342261 /lib/tls/
b7f87000-b7f91000 r-xp 00000000 fe:00 125830164 /lib/libgcc_s.so.1
b7f91000-b7f92000 rw-p 0000a000 fe:00 125830164 /lib/libgcc_s.so.1
b7f92000-b7f95000 rw-p b7f92000 00:00 0
b7f95000-b7f96000 r-xp b7f95000 00:00 0 [vdso]
b7f96000-b7fb0000 r-xp 00000000 fe:00 125830168 /lib/ld-2.7.so
b7fb0000-b7fb2000 rw-p 00019000 fe:00 125830168 /lib/ld-2.7.so
bfa5d000-bfa72000 rw-p bffeb000 00:00 0 [stack]