Bug 1160547 - (CVE-2020-6624) VUL-1: CVE-2020-6624: jhead: heap-based buffer over-read in process_DQT in jpgqguess.c
(CVE-2020-6624)
VUL-1: CVE-2020-6624: jhead: heap-based buffer over-read in process_DQT in jp...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/250646/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-09 08:50 UTC by Alexandros Toptsoglou
Modified: 2022-07-25 00:40 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-01-09 08:50:38 UTC
CVE-2020-6624

jhead through 3.04 has a heap-based buffer over-read in process_DQT in
jpgqguess.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6624
https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858744
Comment 1 Petr Gajdos 2021-05-12 14:19:18 UTC
15.2/jhead-3.00

:/160547 # vgq jhead id_m075 > /dev/null

Nonfatal Error : 'id_m075' Suspicious offset of first Exif IFD value

Nonfatal Error : 'id_m075' Illegally sized Exif subdirectory (60138 entries)

Nonfatal Error : 'id_m075' Extraneous 11 padding bytes before section 03

Nonfatal Error : 'id_m075' Extraneous 10 padding bytes before section DB

Nonfatal Error : 'id_m075' Extraneous 12 padding bytes before section 03

Nonfatal Error : 'id_m075' Extraneous 164 padding bytes before section C4

Nonfatal Error : 'id_m075' Extraneous 10 padding bytes before section EA

Nonfatal Error : 'id_m075' Extraneous 10 padding bytes before section 03

Nonfatal Error : 'id_m075' Extraneous 11 padding bytes before section 03

Nonfatal Error : 'id_m075' Extraneous 10 padding bytes before section DB
==32234== Invalid read of size 1
==32234==    at 0x10E9DD: process_DQT (jpgqguess.c:107)
==32234==    by 0x10D889: ReadJpegSections (jpgfile.c:223)
==32234==    by 0x10DC92: ReadJpegFile (jpgfile.c:379)
==32234==    by 0x10BDFB: ProcessFile (jhead.c:905)
==32234==    by 0x10AB4B: main (jhead.c:1756)
==32234==  Address 0x552fc63 is 0 bytes after a block of size 67 alloc'd
==32234==    at 0x4C2E2DF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32234==    by 0x10D5C2: ReadJpegSections (jpgfile.c:173)
==32234==    by 0x10DC92: ReadJpegFile (jpgfile.c:379)
==32234==    by 0x10BDFB: ProcessFile (jhead.c:905)
==32234==    by 0x10AB4B: main (jhead.c:1756)
==32234== 
==32234== Invalid read of size 1
==32234==    at 0x10E98A: process_DQT (jpgqguess.c:111)
==32234==    by 0x10D889: ReadJpegSections (jpgfile.c:223)
==32234==    by 0x10DC92: ReadJpegFile (jpgfile.c:379)
==32234==    by 0x10BDFB: ProcessFile (jhead.c:905)
==32234==    by 0x10AB4B: main (jhead.c:1756)
==32234==  Address 0x552fc64 is 1 bytes after a block of size 67 alloc'd
==32234==    at 0x4C2E2DF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32234==    by 0x10D5C2: ReadJpegSections (jpgfile.c:173)
==32234==    by 0x10DC92: ReadJpegFile (jpgfile.c:379)
==32234==    by 0x10BDFB: ProcessFile (jhead.c:905)
==32234==    by 0x10AB4B: main (jhead.c:1756)
==32234== 

[...]
$


TW/jhead-3.06.0.1

No valgrdind errors.
Comment 2 Petr Gajdos 2021-05-12 14:41:58 UTC
Fixed in 15.2 by version update to 3.06.0.1 .

Let me know whether a submission in Backports is needed.
Comment 3 Petr Gajdos 2021-05-12 14:43:13 UTC
Submitted into 15.2/jhead.

I believe all fixed.
Comment 4 OBSbugzilla Bot 2021-05-12 15:10:09 UTC
This is an autogenerated message for OBS integration:
This bug (1160547) was mentioned in
https://build.opensuse.org/request/show/892517 15.2 / jhead
Comment 5 Swamp Workflow Management 2021-05-16 19:18:42 UTC
openSUSE-SU-2021:0743-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1144316,1144354,1160544,1160547
CVE References: CVE-2016-3822,CVE-2018-16554,CVE-2018-17088,CVE-2018-6612,CVE-2019-1010301,CVE-2019-1010302,CVE-2020-6624,CVE-2020-6625,CVE-2021-3496
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    jhead-3.06.0.1-lp152.7.6.1
Comment 6 Swamp Workflow Management 2021-05-19 19:16:20 UTC
openSUSE-SU-2021:0752-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1144316,1144354,1160544,1160547
CVE References: CVE-2016-3822,CVE-2018-16554,CVE-2018-17088,CVE-2018-6612,CVE-2019-1010301,CVE-2019-1010302,CVE-2020-6624,CVE-2020-6625,CVE-2021-3496
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    jhead-3.06.0.1-bp152.4.6.1
Comment 7 OBSbugzilla Bot 2022-07-25 00:40:07 UTC
This is an autogenerated message for OBS integration:
This bug (1160547) was mentioned in
https://build.opensuse.org/request/show/990913 Backports:SLE-15-SP3 / jhead