Bug 711220 (CVE-2019-1010301, CVE-2019-1010302)

Summary:	<media-gfx/jhead-3.04: Multiple vulnerabilities (CVE-2019-{1010301,1010302})
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	dilfridge, graphics+disabled
Priority:	Normal	Keywords:	CC-ARCHES
Version:	unspecified	Flags:	nattka: sanity-check+
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/16406 https://bugs.gentoo.org/show_bug.cgi?id=730746
Whiteboard:	B3 [glsa+ cve]
Package list:	media-gfx/jhead-3.04	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	701826

Description Sam James archtester

2020-03-01 20:33:54 UTC

1) CVE-2019-1010301

Description:
"jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of service. The component is: gpsinfo.c Line 151 ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file."

URL: https://www.cvedetails.com/cve/CVE-2019-1010301/

2) CVE-2019-1010302

Description:
"jhead 3.03 is affected by: Incorrect Access Control. The impact is: Denial of service. The component is: iptc.c Line 122 show_IPTC(). The attack vector is: the victim must open a specially crafted JPEG file."

URL: https://www.cvedetails.com/cve/CVE-2019-1010302/

---
Affected versions:
- <3.04? (https://www.sentex.ca/~mwandel/jhead/changes.txt)

Comment 1 Yury German Gentoo Infrastructure

2020-04-12 00:02:48 UTC

Adding 2 more CVE's to this (Same Version)


CVE-2020-6625 (NEW)
Closejhead through 3.04 has a heap-based buffer over-read in Get32s when called from ProcessGpsInfo in gpsinfo.c.


CVE-2020-6624 (NEW)
Closejhead through 3.04 has a heap-based buffer over-read in process_DQT in jpgqguess.c.

Comment 2 Larry the Git Cow gentoo-dev

2020-07-04 14:27:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67e090339cb570cde380194dbc8b68089d9de311

commit 67e090339cb570cde380194dbc8b68089d9de311
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-06-24 20:39:38 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2020-07-04 14:25:02 +0000

    media-gfx/jhead: Security bump to 3.04
    
    EAPI bumped, src_prepare refactored away, added PATCHES array instead
    with a patch that includes the effects of the previous patch. This patch
    also includes adding Makefile functionality to create a shared library
    that was removed upstream since the last version we have.
    
    Bug: https://bugs.gentoo.org/701826
    Bug: https://bugs.gentoo.org/711220
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16406
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 media-gfx/jhead/Manifest                           |  1 +
 .../files/jhead-3.04-mkstemp-fix-makefile.patch    | 53 ++++++++++++++++++++++
 media-gfx/jhead/jhead-3.04.ebuild                  | 24 ++++++++++
 3 files changed, 78 insertions(+)

Comment 3 Sam James archtester

2020-07-04 18:17:21 UTC

(In reply to Yury German from comment #1)
> Adding 2 more CVE's to this (Same Version)
> 
> 
> CVE-2020-6625 (NEW)
> Closejhead through 3.04 has a heap-based buffer over-read in Get32s when
> called from ProcessGpsInfo in gpsinfo.c.
> 
> 
> CVE-2020-6624 (NEW)
> Closejhead through 3.04 has a heap-based buffer over-read in process_DQT in
> jpgqguess.c.

I'll put these in a new bug just because then we can handle all the fixed stuff together.

Comment 4 Sam James archtester

2020-07-14 17:08:12 UTC

No open bugs. Will stable if no objections?

Comment 5 Sam James archtester

2020-07-17 03:21:56 UTC

ppc64 stable

Comment 6 Sam James archtester

2020-07-17 03:30:23 UTC

ppc stable

Comment 7 Sam James archtester

2020-07-17 23:32:05 UTC

x86 stable

Comment 8 Sam James archtester

2020-07-17 23:32:23 UTC

amd64 stable

Comment 9 Sam James archtester

2020-07-18 18:37:01 UTC

sparc stable. Please cleanup.

Comment 10 Sam James archtester

2020-07-26 15:52:33 UTC

GLSA vote: yes

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2020-07-26 23:58:46 UTC

This issue was resolved and addressed in
 GLSA 202007-17 at https://security.gentoo.org/glsa/202007-17
by GLSA coordinator Sam James (sam_c).

Comment 12 Sam James archtester

2020-07-27 01:16:22 UTC

(In reply to GLSAMaker/CVETool Bot from comment #11)
> This issue was resolved and addressed in
>  GLSA 202007-17 at https://security.gentoo.org/glsa/202007-17
> by GLSA coordinator Sam James (sam_c).

Reopening for cleanup.

Comment 13 Larry the Git Cow gentoo-dev

2020-07-27 03:15:33 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40cb226be567e8f6b584268028b59b07812e8532

commit 40cb226be567e8f6b584268028b59b07812e8532
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-27 02:34:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-27 03:15:18 +0000

    media-gfx/jhead: security cleanup
    
    Closes: https://bugs.gentoo.org/711220
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/jhead/Manifest                           |  2 --
 .../files/jhead-2.90-mkstemp_respect_flags.patch   | 26 ------------------
 media-gfx/jhead/jhead-2.97.ebuild                  | 31 ---------------------
 media-gfx/jhead/jhead-3.00-r2.ebuild               | 30 --------------------
 media-gfx/jhead/jhead-3.00.ebuild                  | 32 ----------------------
 5 files changed, 121 deletions(-)