Fedora has issued an advisory on August 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3WVQTORTGQE56XXC6OVHQCSCUGABRMQZ/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOCC: (none) => geiger.david68210
Assigning to Jani both as registered maintainer & current committer.
Assignee: bugsquad => jani.valimaa
Fedora has issued an advisory on December 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GPNV43VBUCMUBRBKPJBY4DDSYLHQ2GFR/ It fixes one more security issue. All of these issues are fixed upstream in 3.04.
Severity: normal => majorSummary: jhead new security issues CVE-2019-1010301 and CVE-2019-1010302 => jhead new security issues CVE-2019-19035, CVE-2019-1010301, and CVE-2019-1010302
Pushed 3.04 to current cauldron and to core/updates_testing for mga7. Please test. (S)RPM: jhead-3.04-1.mga7
Version: Cauldron => 7Assignee: jani.valimaa => qa-bugsWhiteboard: MGA7TOO => (none)CC: (none) => jani.valimaa
Advisory: ======================== Updated jhead package fixes security vulnerabilities: A vulnerability was found in jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of service. The component is: gpsinfo.c Line 151 ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file (CVE-2019-1010301). A vulnerability was found in jhead 3.03 is affected by: Incorrect Access Control. The impact is: Denial of service. The component is: iptc.c Line 122 show_IPTC(). The attack vector is: the victim must open a specially crafted JPEG file (CVE-2019-1010302). jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file (CVE-2019-19035). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19035 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010301 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010302 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3WVQTORTGQE56XXC6OVHQCSCUGABRMQZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GPNV43VBUCMUBRBKPJBY4DDSYLHQ2GFR/
Mageia7, x86_64 Before updating: CVE-2019-19035 https://bugzilla.redhat.com/show_bug.cgi?id=1765647 Three test files available, one designed to be run in an asan framework. $ jhead jhead_poc1 Header missing JFIF marker Jfif header too short Header missing JFIF marker Header missing JFIF marker Header missing JFIF marker Header missing JFIF marker Header missing JFIF marker Header missing JFIF marker Header missing JFIF marker Nonfatal Error : 'jhead_poc1' Extraneous 10 padding bytes before section E0 Header missing JFIF marker Nonfatal Error : 'jhead_poc1' Extraneous 11 padding bytes before section B6 Error : Premature end of file? in file 'jhead_poc1' $ jhead jhead_poc2 Error : Huff table too short in file 'jhead_poc2' $ jhead jhead_poc3 Nonfatal Error : 'jhead_poc3' Extraneous 89 padding bytes before section C4 Error : Huff table too short in file 'jhead_poc3' Upstream says to expect crashes - maybe true if compiled with asan. CVE-2019-1010301 https://bugzilla.redhat.com/show_bug.cgi?id=1679952 Stack buffer overflow. $ jhead SBO_gpsinfo.c_150_17_asan_plain_nocrash <Some non-fatal errors> Nonfatal Error : 'SBO_gpsinfo.c_150_17_asan_plain_nocrash' Inappropriate format (11) for Exif GPS coordinates! *** buffer overflow detected ***: jhead terminated Aborted (core dumped) CVE-2019-1010302 https://bugzilla.redhat.com/show_bug.cgi?id=1679978 $ jhead OOBR_unknown_1_crash Header missing JFIF marker Jfif header too short Nonfatal Error : 'OOBR_unknown_1_crash' Extraneous 17 padding bytes before section ED Nonfatal Error : 'OOBR_unknown_1_crash' Extraneous 24 padding bytes before section D5 File name : OOBR_unknown_1_crash File size : 127 bytes [...] Segmentation fault (core dumped) Updated jhead and retested the PoC. CVE-2019-19035 $ jhead jhead_poc1 Header missing JFIF marker [...] Error : Premature end of file? in file 'jhead_poc1' <Good enough - same as before> The other two files also returned the same result so the code does reject malformed data. CVE-2019-1010301 $ jhead SBO_gpsinfo.c_150_17_asan_plain_nocrash [...] Error : Unexpected end of file in file 'SBO_gpsinfo.c_150_17_asan_plain_nocrash' <Good result - no abort> CVE-2019-1010302 $ jhead OOBR_unknown_1_crash Jfif header too short [...] Nonfatal Error : 'OOBR_unknown_1_crash' Pointer corruption in IPTC <Good result - no segfault> The man page mentions digikam but the utility can be used from the commandline to manipulate EXIF headers directly. $ jhead Tiny_1.jpg File name : Tiny_1.jpg File size : 134934 bytes File date : 2018:07:05 11:28:55 Resolution : 1600 x 1200 JPEG Quality : 76 $ cp Tiny_1.jpg tiny_01.jpg $ jhead tiny_01.jpg File name : tiny_01.jpg File size : 134934 bytes File date : 2019:12:31 22:53:59 Resolution : 1600 x 1200 JPEG Quality : 76 $ jhead -te Tiny_1.jpg tiny_01.jpg Modified: tiny_01.jpg $ jhead -te Tiny_1.jpg tiny_01.jpg Modified: tiny_01.jpg $ jhead tiny_01.jpg File name : tiny_01.jpg File size : 134934 bytes File date : 2019:12:31 22:53:59 Resolution : 1600 x 1200 JPEG Quality : 76 <That did not work as expected, nor did this> $ jhead -da2019:12:31-2018:07:05 tiny_01.jpg File 'tiny_01.jpg' contains no Exif timestamp to change $ jhead -da2019:12:31/22:53:59-2018:07:05/11:28:55 tiny_01.jpg File 'tiny_01.jpg' contains no Exif timestamp to change $ jhead -ts2018:07:05-11:28:55 tiny_01.jpg File 'tiny_01.jpg' contains no Exif timestamp to change $ jhead RAW_KODAK_DCSPRO.jpg File name : RAW_KODAK_DCSPRO.jpg File size : 5740298 bytes File date : 2017:10:04 11:46:57 Camera make : Kodak Camera model : DCS Pro SLR/n Date/Time : 2004:09:23 11:51:48 Resolution : 3012 x 4516 Focal length : 35.0mm Exposure time: 0.0029 s (1/350) Aperture : f/9.5 Metering Mode: multi spot Exposure : program (auto) Jpeg process : Progressive JPEG Quality : 100 $ jhead -ds2019:12:25 RAW_KODAK_DCSPRO.jpg Modified: RAW_KODAK_DCSPRO.jpg $ jhead RAW_KODAK_DCSPRO.jpg File name : RAW_KODAK_DCSPRO.jpg File size : 5740280 bytes File date : 2017:10:04 11:46:57 Camera make : Kodak Camera model : DCS Pro SLR/n Date/Time : 2019:12:25 11:51:48 Resolution : 3012 x 4516 Focal length : 35.0mm Exposure time: 0.0029 s (1/350) Aperture : f/9.5 Metering Mode: multi spot Exposure : program (auto) Jpeg process : Progressive JPEG Quality : 100 That seems to show that the data returned for tiny_01.jpg was not EXIF data but file header data. $ jhead -mkexif tiny_01.jpg Modified: tiny_01.jpg $ jhead tiny_01.jpg File name : tiny_01.jpg File size : 135052 bytes File date : 2019:12:31 22:53:59 Date/Time : 2019:12:31 22:53:59 Resolution : 1600 x 1200 JPEG Quality : 76 $ jhead -da2019:12:31/22:53:59-2018:07:05/11:28:55 tiny_01.jpg Modified: tiny_01.jpg lcl@difda:photos $ jhead tiny_01.jpg File name : tiny_01.jpg File size : 135052 bytes File date : 2019:12:31 22:53:59 Date/Time : 2021:06:28 12:19:03 Resolution : 1600 x 1200 JPEG Quality : 76 Apart from the time-travel bit that seems to have worked also. The man pages are a bit ambiguous - the timestamps need to be swapped over. All this is good enough for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Good enough for me. Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0014.html
Status: NEW => RESOLVEDResolution: (none) => FIXED