[Bug 1221918] New: VUL-0: CVE-2024-2824: jhead: heap-based buffer overflow in function PrintFormatNumber
https://bugzilla.suse.com/show_bug.cgi?id=1221918 Bug ID: 1221918 Summary: VUL-0: CVE-2024-2824: jhead: heap-based buffer overflow in function PrintFormatNumber Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/398716/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: pgajdos@suse.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: andrea.mattiazzo@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- A vulnerability was found in Matthias-Wandel jhead 3.08 and classified as critical. This issue affects the function PrintFormatNumber of the file exif.c. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257711. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-2824 https://www.cve.org/CVERecord?id=CVE-2024-2824 https://github.com/Matthias-Wandel/jhead/files/14613084/poc.zip https://github.com/Matthias-Wandel/jhead/issues/84 https://vuldb.com/?ctiid.257711 https://vuldb.com/?id.257711 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221918 Maintenance Automation <maint-coord+maintenance-robot@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221918 https://bugzilla.suse.com/show_bug.cgi?id=1221918#c1 --- Comment #1 from Andrea Mattiazzo <andrea.mattiazzo@suse.com> --- Launching the poc without additional arguments doesn't trigger ASAN, asked more info on the github issue. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221918 https://bugzilla.suse.com/show_bug.cgi?id=1221918#c2 --- Comment #2 from Petr Gajdos <pgajdos@suse.com> --- reproducing commandline from the reporter jhead -de -di -purejpg -cs /dev/null -ci /dev/null -cl string -zt -dsft -autorot -norot -cr -ca -ar -v poc I see that now: ==507==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000000128 at pc 0x561615596875 bp 0x7ffff19333a0 sp 0x7ffff1933398 READ of size 8 at 0x511000000128 thread T0 #0 0x561615596874 in PrintFormatNumber /usr/src/debug/jhead-3.08/exif.c:401 #1 0x56161559b72a in ProcessGpsInfo /usr/src/debug/jhead-3.08/gpsinfo.c:215 #2 0x56161559b72a in ProcessExifDir /usr/src/debug/jhead-3.08/exif.c:884 #3 0x56161559ae1a in ProcessExifDir /usr/src/debug/jhead-3.08/exif.c:870 #4 0x56161559ae1a in ProcessExifDir /usr/src/debug/jhead-3.08/exif.c:870 #5 0x56161559ae1a in ProcessExifDir /usr/src/debug/jhead-3.08/exif.c:870 #6 0x56161559ae1a in ProcessExifDir /usr/src/debug/jhead-3.08/exif.c:870 #7 0x56161559c23b in process_EXIF /usr/src/debug/jhead-3.08/exif.c:1063 #8 0x56161559dbf7 in ReadJpegSections /usr/src/debug/jhead-3.08/jpgfile.c:290 #9 0x56161559dbf7 in ReadJpegFile /usr/src/debug/jhead-3.08/jpgfile.c:385 #10 0x56161559ea55 in ProcessFile /usr/src/debug/jhead-3.08/jhead.c:895 #11 0x561615594a37 in main /usr/src/debug/jhead-3.08/jhead.c:1805 #12 0x7feb5722a1ef in __libc_start_call_main (/lib64/libc.so.6+0x2a1ef) (BuildId: 07453469054b134d7f4829e267d0ac7b8a725ebc) #13 0x7feb5722a2b8 in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a2b8) (BuildId: 07453469054b134d7f4829e267d0ac7b8a725ebc) #14 0x5616155959b4 in _start ../sysdeps/x86_64/start.S:115 0x51100000012e is located 0 bytes after 238-byte region [0x511000000040,0x51100000012e) allocated by thread T0 here: #0 0x7feb576fb6e7 in malloc (/lib64/libasan.so.8+0xfb6e7) (BuildId: 26775ff385a0faa6c609286325b8cf914b085af1) #1 0x56161559c85b in ReadJpegSections /usr/src/debug/jhead-3.08/jpgfile.c:175 #2 0x56161559c85b in ReadJpegFile /usr/src/debug/jhead-3.08/jpgfile.c:385 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221918 https://bugzilla.suse.com/show_bug.cgi?id=1221918#c3 --- Comment #3 from Petr Gajdos <pgajdos@suse.com> --- No news upstream. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221918 https://bugzilla.suse.com/show_bug.cgi?id=1221918#c4 --- Comment #4 from Petr Gajdos <pgajdos@suse.com> --- No news upstream. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221918 https://bugzilla.suse.com/show_bug.cgi?id=1221918#c5 --- Comment #5 from Petr Gajdos <pgajdos@suse.com> --- No news upstream. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221918 https://bugzilla.suse.com/show_bug.cgi?id=1221918#c6 --- Comment #6 from Petr Gajdos <pgajdos@suse.com> --- No news upstream. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com