Bug 25938 - jhead new security issues CVE-2019-19035, CVE-2019-1010301, and CVE-2019-1010302
Summary: jhead new security issues CVE-2019-19035, CVE-2019-1010301, and CVE-2019-1010302
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-23 22:08 CET by David Walser
Modified: 2020-01-05 16:40 CET (History)
6 users (show)

See Also:
Source RPM: jhead-3.03-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-12-23 22:08:13 CET
Fedora has issued an advisory on August 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3WVQTORTGQE56XXC6OVHQCSCUGABRMQZ/

Mageia 7 is also affected.
David Walser 2019-12-23 22:08:27 CET

Whiteboard: (none) => MGA7TOO
CC: (none) => geiger.david68210

Comment 1 Lewis Smith 2019-12-24 21:29:47 CET
Assigning to Jani both as registered maintainer & current committer.

Assignee: bugsquad => jani.valimaa

Comment 2 David Walser 2019-12-27 04:23:05 CET
Fedora has issued an advisory on December 1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GPNV43VBUCMUBRBKPJBY4DDSYLHQ2GFR/

It fixes one more security issue.

All of these issues are fixed upstream in 3.04.

Severity: normal => major
Summary: jhead new security issues CVE-2019-1010301 and CVE-2019-1010302 => jhead new security issues CVE-2019-19035, CVE-2019-1010301, and CVE-2019-1010302

Comment 3 Jani Välimaa 2019-12-27 07:13:28 CET
Pushed 3.04 to current cauldron and to core/updates_testing for mga7. Please test.

(S)RPM: jhead-3.04-1.mga7

Version: Cauldron => 7
Assignee: jani.valimaa => qa-bugs
Whiteboard: MGA7TOO => (none)
CC: (none) => jani.valimaa

Comment 4 David Walser 2019-12-27 15:50:52 CET
Advisory:
========================

Updated jhead package fixes security vulnerabilities:

A vulnerability was found in jhead 3.03 is affected by: Buffer Overflow. The
impact is: Denial of service. The component is: gpsinfo.c Line 151
ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file
(CVE-2019-1010301).

A vulnerability was found in jhead 3.03 is affected by: Incorrect Access
Control. The impact is: Denial of service. The component is: iptc.c Line 122
show_IPTC(). The attack vector is: the victim must open a specially crafted
JPEG file (CVE-2019-1010302).

jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial
of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c.
The attack vector is: Open a specially crafted JPEG file (CVE-2019-19035).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19035
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010301
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010302
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3WVQTORTGQE56XXC6OVHQCSCUGABRMQZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GPNV43VBUCMUBRBKPJBY4DDSYLHQ2GFR/
Comment 5 Len Lawrence 2020-01-01 00:48:12 CET
Mageia7, x86_64

Before updating:

CVE-2019-19035
https://bugzilla.redhat.com/show_bug.cgi?id=1765647
Three test files available, one designed to be run in an asan framework.

$ jhead jhead_poc1
Header missing JFIF marker
Jfif header too short
Header missing JFIF marker
Header missing JFIF marker
Header missing JFIF marker
Header missing JFIF marker
Header missing JFIF marker
Header missing JFIF marker
Header missing JFIF marker

Nonfatal Error : 'jhead_poc1' Extraneous 10 padding bytes before section E0
Header missing JFIF marker

Nonfatal Error : 'jhead_poc1' Extraneous 11 padding bytes before section B6

Error : Premature end of file?
in file 'jhead_poc1'

$ jhead jhead_poc2

Error : Huff table too short
in file 'jhead_poc2'

$ jhead jhead_poc3

Nonfatal Error : 'jhead_poc3' Extraneous 89 padding bytes before section C4

Error : Huff table too short
in file 'jhead_poc3'

Upstream says to expect crashes - maybe true if compiled with asan.

CVE-2019-1010301
https://bugzilla.redhat.com/show_bug.cgi?id=1679952
Stack buffer overflow.
$ jhead SBO_gpsinfo.c_150_17_asan_plain_nocrash
<Some non-fatal errors>
Nonfatal Error : 'SBO_gpsinfo.c_150_17_asan_plain_nocrash' Inappropriate format (11) for Exif GPS coordinates!
*** buffer overflow detected ***: jhead terminated
Aborted (core dumped)

CVE-2019-1010302
https://bugzilla.redhat.com/show_bug.cgi?id=1679978
$ jhead OOBR_unknown_1_crash
Header missing JFIF marker
Jfif header too short
Nonfatal Error : 'OOBR_unknown_1_crash' Extraneous 17 padding bytes before section ED
Nonfatal Error : 'OOBR_unknown_1_crash' Extraneous 24 padding bytes before section D5
File name    : OOBR_unknown_1_crash
File size    : 127 bytes
[...]
Segmentation fault (core dumped)

Updated jhead and retested the PoC.

CVE-2019-19035
$ jhead jhead_poc1
Header missing JFIF marker
[...]
Error : Premature end of file?
in file 'jhead_poc1'
<Good enough - same as before>
The other two files also returned the same result so the code does reject malformed data.

CVE-2019-1010301
$ jhead SBO_gpsinfo.c_150_17_asan_plain_nocrash
[...]
Error : Unexpected end of file
in file 'SBO_gpsinfo.c_150_17_asan_plain_nocrash'
<Good result - no abort>

CVE-2019-1010302
$ jhead OOBR_unknown_1_crash
Jfif header too short
[...]
Nonfatal Error : 'OOBR_unknown_1_crash' Pointer corruption in IPTC
<Good result - no segfault>

The man page mentions digikam but the utility can be used from the commandline to manipulate EXIF headers directly.
$ jhead Tiny_1.jpg
File name    : Tiny_1.jpg
File size    : 134934 bytes
File date    : 2018:07:05 11:28:55
Resolution   : 1600 x 1200
JPEG Quality : 76
$ cp Tiny_1.jpg tiny_01.jpg
$ jhead tiny_01.jpg
File name    : tiny_01.jpg
File size    : 134934 bytes
File date    : 2019:12:31 22:53:59
Resolution   : 1600 x 1200
JPEG Quality : 76
$ jhead -te Tiny_1.jpg tiny_01.jpg
Modified: tiny_01.jpg
$ jhead -te Tiny_1.jpg tiny_01.jpg
Modified: tiny_01.jpg
$ jhead tiny_01.jpg
File name    : tiny_01.jpg
File size    : 134934 bytes
File date    : 2019:12:31 22:53:59
Resolution   : 1600 x 1200
JPEG Quality : 76
<That did not work as expected, nor did this>
$ jhead -da2019:12:31-2018:07:05 tiny_01.jpg 
File 'tiny_01.jpg' contains no Exif timestamp to change
$ jhead -da2019:12:31/22:53:59-2018:07:05/11:28:55 tiny_01.jpg  
File 'tiny_01.jpg' contains no Exif timestamp to change
$ jhead -ts2018:07:05-11:28:55 tiny_01.jpg 
File 'tiny_01.jpg' contains no Exif timestamp to change

$ jhead RAW_KODAK_DCSPRO.jpg
File name    : RAW_KODAK_DCSPRO.jpg
File size    : 5740298 bytes
File date    : 2017:10:04 11:46:57
Camera make  : Kodak
Camera model : DCS Pro SLR/n
Date/Time    : 2004:09:23 11:51:48
Resolution   : 3012 x 4516
Focal length : 35.0mm
Exposure time: 0.0029 s  (1/350)
Aperture     : f/9.5
Metering Mode: multi spot
Exposure     : program (auto)
Jpeg process : Progressive
JPEG Quality : 100
$ jhead -ds2019:12:25 RAW_KODAK_DCSPRO.jpg
Modified: RAW_KODAK_DCSPRO.jpg
$ jhead RAW_KODAK_DCSPRO.jpg
File name    : RAW_KODAK_DCSPRO.jpg
File size    : 5740280 bytes
File date    : 2017:10:04 11:46:57
Camera make  : Kodak
Camera model : DCS Pro SLR/n
Date/Time    : 2019:12:25 11:51:48
Resolution   : 3012 x 4516
Focal length : 35.0mm
Exposure time: 0.0029 s  (1/350)
Aperture     : f/9.5
Metering Mode: multi spot
Exposure     : program (auto)
Jpeg process : Progressive
JPEG Quality : 100

That seems to show that the data returned for tiny_01.jpg was not EXIF data but file header data.

$ jhead -mkexif tiny_01.jpg
Modified: tiny_01.jpg
$ jhead tiny_01.jpg
File name    : tiny_01.jpg
File size    : 135052 bytes
File date    : 2019:12:31 22:53:59
Date/Time    : 2019:12:31 22:53:59
Resolution   : 1600 x 1200
JPEG Quality : 76
$ jhead -da2019:12:31/22:53:59-2018:07:05/11:28:55 tiny_01.jpg
Modified: tiny_01.jpg
lcl@difda:photos $ jhead tiny_01.jpg
File name    : tiny_01.jpg
File size    : 135052 bytes
File date    : 2019:12:31 22:53:59
Date/Time    : 2021:06:28 12:19:03
Resolution   : 1600 x 1200
JPEG Quality : 76

Apart from the time-travel bit that seems to have worked also.  The man pages are a bit ambiguous - the timestamps need to be swapped over.

All this is good enough for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-01-01 19:16:06 CET
Good enough for me. Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-01-05 12:54:59 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-01-05 16:40:02 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0014.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.