Bug 1221918 (CVE-2024-2824)

Summary: VUL-0: CVE-2024-2824: jhead: heap-based buffer overflow in function PrintFormatNumber
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Petr Gajdos <pgajdos>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/398716/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-25 11:12:32 UTC 
A vulnerability was found in Matthias-Wandel jhead 3.08 and classified as critical. This issue affects the function PrintFormatNumber of the file exif.c. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257711.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-2824
https://www.cve.org/CVERecord?id=CVE-2024-2824
https://github.com/Matthias-Wandel/jhead/files/14613084/poc.zip
https://github.com/Matthias-Wandel/jhead/issues/84
https://vuldb.com/?ctiid.257711
https://vuldb.com/?id.257711
Comment 1 Andrea Mattiazzo 2024-03-25 11:35:07 UTC 
Launching the poc without additional arguments doesn't trigger ASAN, asked more info on the github issue.
Comment 2 Petr Gajdos 2024-03-28 15:12:23 UTC 
reproducing commandline from the reporter

jhead -de -di -purejpg -cs /dev/null -ci /dev/null -cl string -zt -dsft -autorot -norot -cr -ca -ar -v poc

I see that now:
==507==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000000128 at pc 0x561615596875 bp 0x7ffff19333a0 sp 0x7ffff1933398
READ of size 8 at 0x511000000128 thread T0
    #0 0x561615596874 in PrintFormatNumber /usr/src/debug/jhead-3.08/exif.c:401
    #1 0x56161559b72a in ProcessGpsInfo /usr/src/debug/jhead-3.08/gpsinfo.c:215
    #2 0x56161559b72a in ProcessExifDir /usr/src/debug/jhead-3.08/exif.c:884
    #3 0x56161559ae1a in ProcessExifDir /usr/src/debug/jhead-3.08/exif.c:870
    #4 0x56161559ae1a in ProcessExifDir /usr/src/debug/jhead-3.08/exif.c:870
    #5 0x56161559ae1a in ProcessExifDir /usr/src/debug/jhead-3.08/exif.c:870
    #6 0x56161559ae1a in ProcessExifDir /usr/src/debug/jhead-3.08/exif.c:870
    #7 0x56161559c23b in process_EXIF /usr/src/debug/jhead-3.08/exif.c:1063
    #8 0x56161559dbf7 in ReadJpegSections /usr/src/debug/jhead-3.08/jpgfile.c:290
    #9 0x56161559dbf7 in ReadJpegFile /usr/src/debug/jhead-3.08/jpgfile.c:385
    #10 0x56161559ea55 in ProcessFile /usr/src/debug/jhead-3.08/jhead.c:895
    #11 0x561615594a37 in main /usr/src/debug/jhead-3.08/jhead.c:1805
    #12 0x7feb5722a1ef in __libc_start_call_main (/lib64/libc.so.6+0x2a1ef) (BuildId: 07453469054b134d7f4829e267d0ac7b8a725ebc)
    #13 0x7feb5722a2b8 in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a2b8) (BuildId: 07453469054b134d7f4829e267d0ac7b8a725ebc)
    #14 0x5616155959b4 in _start ../sysdeps/x86_64/start.S:115

0x51100000012e is located 0 bytes after 238-byte region [0x511000000040,0x51100000012e)
allocated by thread T0 here:
    #0 0x7feb576fb6e7 in malloc (/lib64/libasan.so.8+0xfb6e7) (BuildId: 26775ff385a0faa6c609286325b8cf914b085af1)
    #1 0x56161559c85b in ReadJpegSections /usr/src/debug/jhead-3.08/jpgfile.c:175
    #2 0x56161559c85b in ReadJpegFile /usr/src/debug/jhead-3.08/jpgfile.c:385
Comment 3 Petr Gajdos 2024-04-22 06:25:39 UTC 
No news upstream.
Comment 4 Petr Gajdos 2024-05-28 07:56:29 UTC 
No news upstream.
Comment 5 Petr Gajdos 2024-06-20 08:32:41 UTC 
No news upstream.