Bug 29053 - jhead new security issues CVE-2020-6624 CVE-2020-6625 CVE-2021-3496
Summary: jhead new security issues CVE-2020-6624 CVE-2020-6625 CVE-2021-3496
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-30 23:36 CEST by David Walser
Modified: 2023-06-20 14:42 CEST (History)
3 users (show)

See Also:
Source RPM: jhead-3.04-2.mga8.src.rpm
CVE:
Status comment: Fixed upstream in 3.06.0.1


Attachments

Description David Walser 2021-05-30 23:36:58 CEST
openSUSE has issued an advisories on April 22 and May 16:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SCW5XBSBEM6OUDLCSLS5UW7BSRNESS4J/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JPTEPBJVJFSKKHSTZER2JVIMRP7MGN2C/

The issues are fixed upstream in 3.06.0.1.

Mageia 7 is also affected.
David Walser 2021-05-30 23:37:11 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 3.06.0.1

Comment 1 Jani Välimaa 2021-06-29 08:27:10 CEST
Pushed the following pkgs to core/updates_testing:
jhead-3.06.0.1-1.mga7
jhead-3.06.0.1-1.mga8

Assignee: jani.valimaa => qa-bugs

Comment 2 David Walser 2021-07-01 00:21:21 CEST
PoC's:
https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858744
https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858746
https://github.com/Matthias-Wandel/jhead/issues/33

Advisory:
========================

Updated jhead package fixes security vulnerabilities:

jhead through 3.04 has a heap-based buffer over-read in process_DQT in
jpgqguess.c (CVE-2020-6624).

jhead through 3.04 has a heap-based buffer over-read in Get32s when called from
ProcessGpsInfo in gpsinfo.c (CVE-2020-6625).

A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in
exif.c when processing a crafted file (CVE-2021-3496).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6624
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6625
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3496
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SCW5XBSBEM6OUDLCSLS5UW7BSRNESS4J/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JPTEPBJVJFSKKHSTZER2JVIMRP7MGN2C/
Comment 3 Herman Viaene 2021-07-06 12:02:36 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
This is a toot to read EXIF from jpg
$ jhead gedraaid.jpg 
File name    : gedraaid.jpg
File size    : 1342848 bytes
File date    : 2021:06:23 15:18:47
Camera make  : Canon
Camera model : Canon IXUS 240 HS
Date/Time    : 2014:01:19 14:55:48
Resolution   : 3456 x 4608
Flash used   : No
Focal length : 15.4mm  (35mm equivalent: 90mm)
CCD width    : 6.17mm
Exposure time: 0.125 s  (1/8)
Aperture     : f/5.6
Focus dist.  : 1.53m
ISO equiv.   : 1600
Whitebalance : Auto
Metering Mode: pattern
JPEG Quality : 75

Looks OK

CC: (none) => herman.viaene
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 4 David Walser 2021-07-08 23:51:59 CEST
$ jhead ~/Download/whatididntlearninschool.jpg 
File name    : /home/<user>/Download/whatididntlearninschool.jpg
File size    : 48621 bytes
File date    : 2015:08:22 06:24:23
Resolution   : 500 x 500
Jpeg process : Progressive
JPEG Quality : 71
======= IPTC data: =======
OriginalTransmissionReference: PxkB_AgQm20tlacYorZI
Spec. Instr.  : FBMD01000abe03000043110000882a0000822b0000dc2c0000c44d0000ec7300001e770000d4790000257d0000edbd0000


Looks OK on x86_64.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 5 Thomas Andrews 2021-07-09 01:35:42 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-07-10 12:11:58 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-07-10 14:58:32 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0328.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2023-06-20 14:31:57 CEST
This update also fixed CVE-2021-2827[68]:
https://ubuntu.com/security/notices/USN-6098-1
Comment 8 David Walser 2023-06-20 14:32:56 CEST
(In reply to David Walser from comment #7)
> This update also fixed CVE-2021-2827[68]:
> https://ubuntu.com/security/notices/USN-6098-1

as well as CVE-2020-26208.
Comment 9 David Walser 2023-06-20 14:42:48 CEST
(In reply to David Walser from comment #7)
> This update also fixed CVE-2021-2827[68]:
> https://ubuntu.com/security/notices/USN-6098-1

as well as CVE-2021-2827[57]:
https://ubuntu.com/security/notices/USN-6110-1

Note You need to log in before you can comment on or make changes to this bug.