Bugzilla – Bug 1184756
VUL-0: CVE-2021-3496: jhead: heap-based buffer overflow in Get16u() in exif.c
Last modified: 2021-10-14 09:09:25 UTC
rh#1949245 A heap-based buffer overflow was found in jhead in version 3.06 in Get16u() in exif.c when processing a crafted file. Reference: https://github.com/Matthias-Wandel/jhead/issues/33 References: https://bugzilla.redhat.com/show_bug.cgi?id=1949245 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3496
BEFORE TW/jhead $ valgrind -q jhead jhead_poc.jpg Nonfatal Error : 'jhead_poc.jpg' Illegal value pointer for tag 0110 in Exif [...] Nonfatal Error : 'jhead_poc.jpg' Too many components (808464688) for Exif maker tag 0004 ==21482== Invalid read of size 2 ==21482== at 0x10E17C: UnknownInlinedFun (exif.c:320) ==21482== by 0x10E17C: UnknownInlinedFun (makernote.c:123) ==21482== by 0x10E17C: UnknownInlinedFun (makernote.c:184) ==21482== by 0x10E17C: ProcessExifDir (exif.c:553) ==21482== by 0x10EC1C: ProcessExifDir (exif.c:852) ==21482== by 0x10F449: process_EXIF (exif.c:1041) ==21482== by 0x110165: UnknownInlinedFun (jpgfile.c:287) ==21482== by 0x110165: UnknownInlinedFun (jpgfile.c:119) ==21482== by 0x110165: ReadJpegFile (jpgfile.c:379) ==21482== by 0x110520: ProcessFile (jhead.c:905) ==21482== by 0x10B6DB: main (jhead.c:1756) ==21482== Address 0x4b6b7c4 is 20 bytes after a block of size 1,152 in arena "client" ==21482== Nonfatal Error : 'jhead_poc.jpg' Too many components 262148 for tag a000 in Exif tag 0004 [...] Nonfatal Error : 'jhead_poc.jpg' Too many components (808464688) for Exif maker tag 0004 ==21482== Invalid read of size 2 ==21482== at 0x10E17C: UnknownInlinedFun (exif.c:320) ==21482== by 0x10E17C: UnknownInlinedFun (makernote.c:123) ==21482== by 0x10E17C: UnknownInlinedFun (makernote.c:184) ==21482== by 0x10E17C: ProcessExifDir (exif.c:553) ==21482== by 0x10EC1C: ProcessExifDir (exif.c:852) ==21482== by 0x10E9AF: ProcessExifDir (exif.c:936) ==21482== by 0x10EC1C: ProcessExifDir (exif.c:852) ==21482== by 0x10F449: process_EXIF (exif.c:1041) ==21482== by 0x110165: UnknownInlinedFun (jpgfile.c:287) ==21482== by 0x110165: UnknownInlinedFun (jpgfile.c:119) ==21482== by 0x110165: ReadJpegFile (jpgfile.c:379) ==21482== by 0x110520: ProcessFile (jhead.c:905) ==21482== by 0x10B6DB: main (jhead.c:1756) ==21482== Address 0x4b6b7c4 is 20 bytes after a block of size 1,152 in arena "client" ==21482== Nonfatal Error : 'jhead_poc.jpg' Too many components 262148 for tag a000 in Exif [...] Nonfatal Error : 'jhead_poc.jpg' Illegal subdirectory link in Exif header Error : Huff table too short in file 'jhead_poc.jpg' $ 15.2/jhead $ valgrind -q jhead jhead_poc.jpg Nonfatal Error : 'jhead_poc.jpg' Illegal value pointer for tag 0110 in Exif [...] Nonfatal Error : 'jhead_poc.jpg' Too many components (3684690) for Exif maker tag 0004 Nonfatal Error : 'jhead_poc.jpg' Too many components (808464688) for Exif maker tag 0004 ==25059== Invalid read of size 2 ==25059== at 0x10F7A0: Get16u (exif.c:320) ==25059== by 0x112FD8: ProcessCanonMakerNoteDir (makernote.c:123) ==25059== by 0x112FD8: ProcessMakerNote (makernote.c:184) ==25059== by 0x110281: ProcessExifDir (exif.c:554) ==25059== by 0x110CF5: ProcessExifDir (exif.c:853) ==25059== by 0x110F08: process_EXIF (exif.c:1035) ==25059== by 0x10DF1A: ReadJpegSections.part.0 (jpgfile.c:287) ==25059== by 0x10E1FD: ReadJpegSections (jpgfile.c:126) ==25059== by 0x10E1FD: ReadJpegFile (jpgfile.c:375) ==25059== by 0x10BB82: ProcessFile (jhead.c:896) ==25059== by 0x10AB3B: main (jhead.c:1730) ==25059== Address 0x552f814 is 20 bytes after a block of size 1,152 in arena "client" ==25059== Nonfatal Error : 'jhead_poc.jpg' Too many components 262148 for tag a000 in Exif [...] Nonfatal Error : 'jhead_poc.jpg' Extraneous 58 padding bytes before section C2 Error : Premature end of file? in file 'jhead_poc.jpg' $ PATCH TW: update to 3.06.0.1 15.2: https://github.com/Matthias-Wandel/jhead/commit/ca2973f4ce79279c15a09cf400648a757c1721b0 AFTER TW/jhead $ valgrind -q jhead jhead_poc.jpg Nonfatal Error : 'jhead_poc.jpg' Illegal value pointer for tag 0110 in Exif [..] Nonfatal Error : 'jhead_poc.jpg' Illegal subdirectory link in Exif header Error : Huff table too short in file 'jhead_poc.jpg' $ 15.2/jhead $ valgrind -q jhead jhead_poc.jpg Nonfatal Error : 'jhead_poc.jpg' Illegal value pointer for tag 0110 in Exif [...] Error : Premature end of file? in file 'jhead_poc.jpg' $
Package submitted for TW/jhead and 15.2/jhead. Moreover, submitted for BP/15sp3,15sp2,15sp1, hopefully correctly. I believe all fixed.
openSUSE-SU-2021:0594-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1184756 CVE References: CVE-2021-3496 JIRA References: Sources used: openSUSE Leap 15.2 (src): jhead-3.00-lp152.7.3.1
openSUSE-SU-2021:0620-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1184756 CVE References: CVE-2021-3496 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): jhead-3.00-bp152.4.3.1
done