Hello, Done. Thanks a lot.
Regards, Hanfang Ludovic Rousseau <ludovic.rouss...@gmail.com> 于2018年9月8日周六 上午1:05写道: > Hello, > > Please request a new CVE ID. > As Salvatore Bonaccorso wrote in http://bugs.debian.org/907925 > > " Can you please request a CVE via the webform at > https://cveform.mitre.org/ and once the CVE assigned loop it back here?" > > Thanks > > Le 07/09/2018 à 05:54, Hanfang Zhang a écrit : > > Package: jhead > > Version: 1:3.00-7 > > Vulerability type: Buffer Overflow > > > > An buffer overflow bug was found in jhead, which allows attackers to > casue a denial of service via a crafted JPEG file. > > > > Components: gpsinfo.c -> ProcessGpsInfo() ->line 164 > > ``` > > case TAG_GPS_ALT://BUG > > sprintf(ImageInfo.GpsAlt + 1, "%.2fm", > > ConvertAnyFormat(ValuePtr, Format)); > > break; > > ``` > > Output: > > ``` > > gdb-peda$ bt > > #0 0x00007ffff7739428 in __GI_raise (sig=sig@entry=0x6) at > ../sysdeps/unix/sysv/linux/raise.c:54 > > #1 0x00007ffff773b02a in __GI_abort () at abort.c:89 > > #2 0x00007ffff777b7ea in __libc_message (do_abort=do_abort@entry=0x2, > > fmt=fmt@entry=0x7ffff789349f "*** %s ***: %s terminated\n") at > ../sysdeps/posix/libc_fatal.c:175 > > #3 0x00007ffff781d15c in __GI___fortify_fail (msg=<optimized out>, > msg@entry=0x7ffff7893430 "buffer overflow detected") > > at fortify_fail.c:37 > > #4 0x00007ffff781b160 in __GI___chk_fail () at chk_fail.c:28 > > #5 0x00007ffff781a6c9 in _IO_str_chk_overflow (fp=<optimized out>, > c=<optimized out>) at vsprintf_chk.c:31 > > #6 0x00007ffff777f6b0 in __GI__IO_default_xsputn (f=0x7fffffff79b0, > data=<optimized out>, n=0x19) at genops.c:455 > > #7 0x00007ffff775625a in __GI___printf_fp_l (fp=fp@entry=0x7fffffff79b0, > loc=<optimized out>, info=info@entry=0x7fffffff7530, > > args=args@entry=0x7fffffff7510) at printf_fp.c:1236 > > #8 0x00007ffff7756bd9 in ___printf_fp (fp=fp@entry=0x7fffffff79b0, > info=info@entry=0x7fffffff7530, > > args=args@entry=0x7fffffff7510) at printf_fp.c:1257 > > #9 0x00007ffff77530b9 in _IO_vfprintf_internal (s=s@entry=0x7fffffff79b0, > format=<optimized out>, > > format@entry=0x40f640 "%.2fm", ap=ap@entry=0x7fffffff7ae8) at > vfprintf.c:1631 > > #10 0x00007ffff781a754 in ___vsprintf_chk (s=0x61659f <ImageInfo+20447> > "944473296573929042", flags=0x1, slen=0x13, > > format=0x40f640 "%.2fm", args=args@entry=0x7fffffff7ae8) at > vsprintf_chk.c:82 > > #11 0x00007ffff781a6ad in ___sprintf_chk (s=<optimized out>, > flags=flags@entry=0x1, slen=slen@entry=0x13, > > format=format@entry=0x40f640 "%.2fm") at sprintf_chk.c:31 > > #12 0x0000000000409649 in sprintf (__fmt=0x40f640 "%.2fm", > __s=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33 > > #13 ProcessGpsInfo (DirStart=<optimized out>, > > OffsetBase=OffsetBase@entry=0x6182d8 > "MM", ExifLength=ExifLength@entry=0x13e) > > at gpsinfo.c:164 > > #14 0x0000000000407980 in ProcessExifDir (DirStart=DirStart@entry=0x6182e0 > "", OffsetBase=OffsetBase@entry=0x6182d8 "MM", > > ExifLength=ExifLength@entry=0x13e, NestingLevel=NestingLevel@entry=0x0) > at exif.c:867 > > #15 0x0000000000407b86 in process_EXIF > > (ExifSection=ExifSection@entry=0x6182d0 > "\001FExif", length=length@entry=0x146) > > at exif.c:1035 > > #16 0x0000000000404ab3 in ReadJpegSections (infile=infile@entry=0x617070, > ReadMode=ReadMode@entry=READ_METADATA) at jpgfile.c:287 > > #17 0x0000000000404dce in ReadJpegSections (ReadMode=READ_METADATA, > infile=0x617070) at jpgfile.c:126 > > #18 ReadJpegFile (FileName=FileName@entry=0x7fffffffe376 "poc", > ReadMode=READ_METADATA) at jpgfile.c:375 > > #19 0x0000000000402ac1 in ProcessFile (FileName=0x7fffffffe376 "poc") at > jhead.c:896 > > #20 0x000000000040183c in main (argc=argc@entry=0x2, > > argv=argv@entry=0x7fffffffdff8) > at jhead.c:1729 > > #21 0x00007ffff7724830 in __libc_start_main (main=0x4016b0 <main>, > argc=0x2, argv=0x7fffffffdff8, init=<optimized out>, > > fini=<optimized out>, rtld_fini=<optimized out>, > stack_end=0x7fffffffdfe8) at ../csu/libc-start.c:291 > > #22 0x0000000000402219 in _start () > > > > ``` > > ConvertAnyFormat function converts ValuePtr to another data type by > using Format value. When Format value equals to 11, the ValuePtr should be > convert to double type. There is no type checking in the parameters in > sprintf function. In this case, “%.2fm” corresponds to the float type data, > ConvertAnyFormat() corresponds to the double type data. So it causes > undesirable behavior including buffer overflow. Replacing sprintf with > snprintf may fix this bug. > > > -- > Dr. Ludovic Rousseau >
