Bug 1184756 - (CVE-2021-3496) VUL-0: CVE-2021-3496: jhead: heap-based buffer overflow in Get16u() in exif.c
(CVE-2021-3496)
VUL-0: CVE-2021-3496: jhead: heap-based buffer overflow in Get16u() in exif.c
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.2
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/281739/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-14 15:13 UTC by Alexander Bergmann
Modified: 2021-10-14 09:09 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-04-14 15:13:24 UTC
rh#1949245

A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file.

Reference:
https://github.com/Matthias-Wandel/jhead/issues/33

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1949245
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3496
Comment 1 Petr Gajdos 2021-04-19 09:25:52 UTC
BEFORE

TW/jhead

$ valgrind  -q jhead jhead_poc.jpg

Nonfatal Error : 'jhead_poc.jpg' Illegal value pointer for tag 0110 in Exif

[...]

Nonfatal Error : 'jhead_poc.jpg' Too many components (808464688) for Exif maker tag 0004
==21482== Invalid read of size 2
==21482==    at 0x10E17C: UnknownInlinedFun (exif.c:320)
==21482==    by 0x10E17C: UnknownInlinedFun (makernote.c:123)
==21482==    by 0x10E17C: UnknownInlinedFun (makernote.c:184)
==21482==    by 0x10E17C: ProcessExifDir (exif.c:553)
==21482==    by 0x10EC1C: ProcessExifDir (exif.c:852)
==21482==    by 0x10F449: process_EXIF (exif.c:1041)
==21482==    by 0x110165: UnknownInlinedFun (jpgfile.c:287)
==21482==    by 0x110165: UnknownInlinedFun (jpgfile.c:119)
==21482==    by 0x110165: ReadJpegFile (jpgfile.c:379)
==21482==    by 0x110520: ProcessFile (jhead.c:905)
==21482==    by 0x10B6DB: main (jhead.c:1756)
==21482==  Address 0x4b6b7c4 is 20 bytes after a block of size 1,152 in arena "client"
==21482== 

Nonfatal Error : 'jhead_poc.jpg' Too many components 262148 for tag a000 in Exif

tag 0004

[...]

Nonfatal Error : 'jhead_poc.jpg' Too many components (808464688) for Exif maker tag 0004
==21482== Invalid read of size 2
==21482==    at 0x10E17C: UnknownInlinedFun (exif.c:320)
==21482==    by 0x10E17C: UnknownInlinedFun (makernote.c:123)
==21482==    by 0x10E17C: UnknownInlinedFun (makernote.c:184)
==21482==    by 0x10E17C: ProcessExifDir (exif.c:553)
==21482==    by 0x10EC1C: ProcessExifDir (exif.c:852)
==21482==    by 0x10E9AF: ProcessExifDir (exif.c:936)
==21482==    by 0x10EC1C: ProcessExifDir (exif.c:852)
==21482==    by 0x10F449: process_EXIF (exif.c:1041)
==21482==    by 0x110165: UnknownInlinedFun (jpgfile.c:287)
==21482==    by 0x110165: UnknownInlinedFun (jpgfile.c:119)
==21482==    by 0x110165: ReadJpegFile (jpgfile.c:379)
==21482==    by 0x110520: ProcessFile (jhead.c:905)
==21482==    by 0x10B6DB: main (jhead.c:1756)
==21482==  Address 0x4b6b7c4 is 20 bytes after a block of size 1,152 in arena "client"
==21482== 

Nonfatal Error : 'jhead_poc.jpg' Too many components 262148 for tag a000 in Exif

[...]

Nonfatal Error : 'jhead_poc.jpg' Illegal subdirectory link in Exif header

Error : Huff table too short
in file 'jhead_poc.jpg'
$



15.2/jhead

$ valgrind  -q jhead jhead_poc.jpg

Nonfatal Error : 'jhead_poc.jpg' Illegal value pointer for tag 0110 in Exif

[...]

Nonfatal Error : 'jhead_poc.jpg' Too many components (3684690) for Exif maker tag 0004

Nonfatal Error : 'jhead_poc.jpg' Too many components (808464688) for Exif maker tag 0004
==25059== Invalid read of size 2
==25059==    at 0x10F7A0: Get16u (exif.c:320)
==25059==    by 0x112FD8: ProcessCanonMakerNoteDir (makernote.c:123)
==25059==    by 0x112FD8: ProcessMakerNote (makernote.c:184)
==25059==    by 0x110281: ProcessExifDir (exif.c:554)
==25059==    by 0x110CF5: ProcessExifDir (exif.c:853)
==25059==    by 0x110F08: process_EXIF (exif.c:1035)
==25059==    by 0x10DF1A: ReadJpegSections.part.0 (jpgfile.c:287)
==25059==    by 0x10E1FD: ReadJpegSections (jpgfile.c:126)
==25059==    by 0x10E1FD: ReadJpegFile (jpgfile.c:375)
==25059==    by 0x10BB82: ProcessFile (jhead.c:896)
==25059==    by 0x10AB3B: main (jhead.c:1730)
==25059==  Address 0x552f814 is 20 bytes after a block of size 1,152 in arena "client"
==25059== 

Nonfatal Error : 'jhead_poc.jpg' Too many components 262148 for tag a000 in Exif

[...]

Nonfatal Error : 'jhead_poc.jpg' Extraneous 58 padding bytes before section C2

Error : Premature end of file?
in file 'jhead_poc.jpg'
$


PATCH

TW: update to 3.06.0.1
15.2:
https://github.com/Matthias-Wandel/jhead/commit/ca2973f4ce79279c15a09cf400648a757c1721b0


AFTER

TW/jhead

$ valgrind  -q jhead jhead_poc.jpg

Nonfatal Error : 'jhead_poc.jpg' Illegal value pointer for tag 0110 in Exif

[..]

Nonfatal Error : 'jhead_poc.jpg' Illegal subdirectory link in Exif header

Error : Huff table too short
in file 'jhead_poc.jpg'
$


15.2/jhead

$ valgrind  -q jhead jhead_poc.jpg

Nonfatal Error : 'jhead_poc.jpg' Illegal value pointer for tag 0110 in Exif

[...]

Error : Premature end of file?
in file 'jhead_poc.jpg'
$
Comment 2 Petr Gajdos 2021-04-19 09:30:32 UTC
Package submitted for TW/jhead and 15.2/jhead.

Moreover, submitted for BP/15sp3,15sp2,15sp1, hopefully correctly.

I believe all fixed.
Comment 3 Swamp Workflow Management 2021-04-22 22:15:45 UTC
openSUSE-SU-2021:0594-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1184756
CVE References: CVE-2021-3496
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    jhead-3.00-lp152.7.3.1
Comment 4 Swamp Workflow Management 2021-04-26 07:15:40 UTC
openSUSE-SU-2021:0620-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1184756
CVE References: CVE-2021-3496
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    jhead-3.00-bp152.4.3.1
Comment 6 Marcus Meissner 2021-10-14 09:09:25 UTC
done