diff -Nru jhead-3.00/debian/changelog jhead-3.00/debian/changelog --- jhead-3.00/debian/changelog 2023-05-16 08:57:25.000000000 +0000 +++ jhead-3.00/debian/changelog 2023-05-24 11:04:08.000000000 +0000 @@ -1,3 +1,16 @@ +jhead (1:3.00-8~ubuntu0.2) bionic-security; urgency=medium + + * SECURITY UPDATE: heap buffer overflow while rotating an image + - debian/patches/CVE-2021-34055.patch: If a read EXIF section in + jpgfile.c, then discard it. + - CVE-2021-34055 + * SECURITY UPDATE: code execution when regenerating the Exif thumbnail + - debian/patches/CVE-2022-41751.patch: Adds a check in jhead.c for + dangerous characters in filenames. + - CVE-2022-41751 + + -- George-Andrei Iosif Wed, 24 May 2023 14:04:08 +0300 + jhead (1:3.00-8~ubuntu0.1) bionic-security; urgency=medium * SECURITY UPDATE: heap out-of-bounds read when processing the JFIF markers diff -Nru jhead-3.00/debian/patches/CVE-2021-34055.patch jhead-3.00/debian/patches/CVE-2021-34055.patch --- jhead-3.00/debian/patches/CVE-2021-34055.patch 1970-01-01 00:00:00.000000000 +0000 +++ jhead-3.00/debian/patches/CVE-2021-34055.patch 2023-05-24 11:01:55.000000000 +0000 @@ -0,0 +1,98 @@ +From: Joachim Reichel +Description: Fix CVE-2021-34055 +Origin: https://github.com/Matthias-Wandel/jhead/commit/f0a884210cc46830b176f71fd61569adc8f230a7 +Bug: https://github.com/Matthias-Wandel/jhead/issues/36 +Bug-Debian: https://bugs.debian.org/1024272 + +Index: jhead-3.00/jhead.h +=================================================================== +--- jhead-3.00.orig/jhead.h ++++ jhead-3.00/jhead.h +@@ -157,7 +157,7 @@ void FileTimeAsString(char * TimeStr); + + // Prototypes for exif.c functions. + int Exif2tm(struct tm * timeptr, char * ExifTime); +-void process_EXIF (unsigned char * CharBuf, unsigned int length); ++int process_EXIF (unsigned char * CharBuf, int length); + void ShowImageInfo(int ShowFileInfo); + void ShowConciseImageInfo(void); + const char * ClearOrientation(void); +Index: jhead-3.00/jpgfile.c +=================================================================== +--- jhead-3.00.orig/jpgfile.c ++++ jhead-3.00/jpgfile.c +@@ -287,7 +287,10 @@ int ReadJpegSections (FILE * infile, Rea + // There can be different section using the same marker. + if (ReadMode & READ_METADATA){ + if (memcmp(Data+2, "Exif", 4) == 0){ +- process_EXIF(Data, itemlen); ++ if (!process_EXIF(Data, itemlen)){ ++ // malformatted exif sections, discard. ++ free(Sections[--SectionsRead].Data); ++ } + break; + }else if (memcmp(Data+2, "http:", 5) == 0){ + Sections[SectionsRead-1].Type = M_XMP; // Change tag for internal purposes. +Index: jhead-3.00/exif.c +=================================================================== +--- jhead-3.00.orig/exif.c ++++ jhead-3.00/exif.c +@@ -997,7 +997,7 @@ static void ProcessExifDir(unsigned char + // Process a EXIF marker + // Describes all the drivel that most digital cameras include... + //-------------------------------------------------------------------------- +-void process_EXIF (unsigned char * ExifSection, unsigned int length) ++int process_EXIF (unsigned char * ExifSection, int length) + { + unsigned int FirstOffset; + +@@ -1015,7 +1015,7 @@ void process_EXIF (unsigned char * ExifS + static uchar ExifHeader[] = "Exif\0\0"; + if (memcmp(ExifSection+2, ExifHeader,6)){ + ErrNonfatal("Incorrect Exif header",0,0); +- return; ++ return 0; + } + } + +@@ -1028,21 +1028,21 @@ void process_EXIF (unsigned char * ExifS + MotorolaOrder = 1; + }else{ + ErrNonfatal("Invalid Exif alignment marker.",0,0); +- return; ++ return 0; + } + } + + // Check the next value for correctness. + if (Get16u(ExifSection+10) != 0x2a){ + ErrNonfatal("Invalid Exif start (1)",0,0); +- return; ++ return 0; + } + + FirstOffset = Get32u(ExifSection+12); + if (FirstOffset < 8 || FirstOffset > 16){ + if (FirstOffset < 16 || length < 16 || FirstOffset > length-16){ + ErrNonfatal("invalid offset for first Exif IFD value",0,0); +- return; ++ return 0; + } + // Usually set to 8, but other values valid too. + ErrNonfatal("Suspicious offset of first Exif IFD value",0,0); +@@ -1081,6 +1081,7 @@ void process_EXIF (unsigned char * ExifS + ImageInfo.FocalLength35mmEquiv = (int)(ImageInfo.FocalLength/ImageInfo.CCDWidth*36 + 0.5); + } + } ++ return 1; + } + + +@@ -1229,6 +1230,7 @@ void create_EXIF(void) + const char * ClearOrientation(void) + { + int a; ++ + if (NumOrientations == 0) return NULL; + + for (a=0;a +Description: Fix CVE-2022-41751 +Origin: https://github.com/Matthias-Wandel/jhead/commit/ba1da7dce9e8f3269159b57b88ff9688624426d2, + https://github.com/Matthias-Wandel/jhead/commit/76d11094d17380d51a7ad53da2287c9f53a72726, + https://github.com/Matthias-Wandel/jhead/commit/2a237d866581b3774ebe63d6c312e76459bd0866 +Bug: https://github.com/Matthias-Wandel/jhead/issues/57, + https://github.com/Matthias-Wandel/jhead/issues/60, + https://github.com/Matthias-Wandel/jhead/issues/65 +Bug-Debian: https://bugs.debian.org/1022028 + +Index: jhead-3.00/jhead.c +=================================================================== +--- jhead-3.00.orig/jhead.c ++++ jhead-3.00/jhead.c +@@ -164,6 +164,15 @@ static int FileEditComment(char * TempFi + } + if (strlen(Editor) > PATH_MAX) ErrFatal("env too long"); + ++ // Disallow characters in the editor or filename that could be used to execute arbitrary ++ // shell commands with system() below. ++ if (strpbrk(TempFileName, "\";'&|`$")) { ++ ErrFatal("Filename has invalid characters"); ++ } ++ if (strpbrk(Editor, "\";'&|`$")) { ++ ErrFatal("Editor has invalid characters"); ++ } ++ + sprintf(QuotedPath, "%s \"%s\"",Editor, TempFileName); + a = system(QuotedPath); + } +@@ -740,6 +749,14 @@ static int DoAutoRotate(const char * Fil + sprintf(RotateCommand,"jpegtran -trim -%s -outfile \"%s\" \"%s\"", + Argument, ThumbTempName_out, ThumbTempName_in); + ++ // Disallow characters in the filenames that could be used to execute arbitrary ++ // shell commands with system() below. ++ if (strpbrk(FileName, "\";'&|`$")) { ++ ErrNonfatal("Command has invalid characters.", 0, 0); ++ unlink(ThumbTempName_in); ++ return FALSE; ++ } ++ + if (system(RotateCommand) == 0){ + // Put the thumbnail back in the header + ReplaceThumbnail(ThumbTempName_out); +@@ -765,7 +782,15 @@ static int RegenerateThumbnail(const cha + return FALSE; + } + +- sprintf(ThumbnailGenCommand, "mogrify -thumbnail %dx%d \"%s\"", ++ // Disallow characters in the filename that could be used to execute arbitrary ++ // shell commands with system() below. ++ if(strpbrk(FileName, "\";'&|`$")) { ++ ErrNonfatal("Filename has invalid characters.", 0, 0); ++ return FALSE; ++ } ++ ++ snprintf(ThumbnailGenCommand, sizeof(ThumbnailGenCommand), ++ "mogrify -thumbnail %dx%d -quality 80 \"%s\"", + RegenThumbnail, RegenThumbnail, FileName); + + if (system(ThumbnailGenCommand) == 0){ diff -Nru jhead-3.00/debian/patches/series jhead-3.00/debian/patches/series --- jhead-3.00/debian/patches/series 2023-05-16 08:57:25.000000000 +0000 +++ jhead-3.00/debian/patches/series 2023-05-24 11:02:31.000000000 +0000 @@ -17,3 +17,5 @@ CVE-2020-6625.patch CVE-2020-26208.patch CVE-2021-28276_28278.patch +CVE-2021-34055.patch +CVE-2022-41751.patch