jhead: multiple security vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
jhead (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Dapper |
Won't Fix
|
Undecided
|
Unassigned | ||
Gutsy |
Won't Fix
|
Undecided
|
Unassigned | ||
Hardy |
Won't Fix
|
Undecided
|
Unassigned | ||
Intrepid |
Fix Released
|
High
|
Unassigned |
Bug Description
jhead -cmd fails when your filenames and resulting command line is too long:
Before:jhead -cmd '/usr/local/
Cmd:/usr/
<init> : Avifile RELEASE-
<init> : Available CPU flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts pni monitor ds_cpl vmx est tm
<init> : 1000.00 MHz Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz processor detected
Error : specified command did not produce expected output file <<<<<<<
in file '/home/
After:
gandalf:
Cmd:/usr/
<init> : Avifile RELEASE-
<init> : Available CPU flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts pni monitor ds_cpl vmx est tm
<init> : 1000.00 MHz Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz processor detected
Modified: /home/merlin/
Diff is trivial:
gandalf:
--- jhead.c.orig 2008-09-16 11:00:16.000000000 -0700
+++ jhead.c 2008-09-16 11:00:23.000000000 -0700
@@ -298,8 +298,8 @@
static void DoCommand(const char * FileName, int ShowIt)
{
int a,e;
- char ExecString[400];
- char TempName[200];
+ char ExecString[64000];
+ char TempName[32000];
int TempUsed = FALSE;
e = 0;
Using an extremely long -cmd leads to stack protector being tripped. The ExecString and TempName should probably be dynamically allocated based on the strlen of the command.
---
*** stack smashing detected ***: jhead terminated i686/cmov/ libc.so. 6(__fortify_ fail+0x48) [0xb7ee5138] i686/cmov/ libc.so. 6(__fortify_ fail+0x0) [0xb7ee50f0] i686/cmov/ libc-2. 7.so i686/cmov/ libc-2. 7.so i686/cmov/ libc-2. 7.so i686/cmov/ libm-2. 7.so i686/cmov/ libm-2. 7.so
======= Backtrace: =========
/lib/tls/
/lib/tls/
jhead[0x804944a]
[0x20202020]
======= Memory map: ========
08048000-08056000 r-xp 00000000 fe:00 33760719 /usr/bin/jhead
08056000-08057000 rw-p 0000e000 fe:00 33760719 /usr/bin/jhead
08057000-08079000 rw-p 08057000 00:00 0 [heap]
b7df7000-b7df8000 rw-p b7df7000 00:00 0
b7df8000-b7f41000 r-xp 00000000 fe:00 51342253 /lib/tls/
b7f41000-b7f42000 r--p 00149000 fe:00 51342253 /lib/tls/
b7f42000-b7f44000 rw-p 0014a000 fe:00 51342253 /lib/tls/
b7f44000-b7f47000 rw-p b7f44000 00:00 0
b7f47000-b7f6a000 r-xp 00000000 fe:00 51342261 /lib/tls/
b7f6a000-b7f6c000 rw-p 00023000 fe:00 51342261 /lib/tls/
b7f87000-b7f91000 r-xp 00000000 fe:00 125830164 /lib/libgcc_s.so.1
b7f91000-b7f92000 rw-p 0000a000 fe:00 125830164 /lib/libgcc_s.so.1
b7f92000-b7f95000 rw-p b7f92000 00:00 0
b7f95000-b7f96000 r-xp b7f95000 00:00 0 [vdso]
b7f96000-b7fb0000 r-xp 00000000 fe:00 125830168 /lib/ld-2.7.so
b7fb0000-b7fb2000 rw-p 00019000 fe:00 125830168 /lib/ld-2.7.so
bfa5d000-bfa72000 rw-p bffeb000 00:00 0 [stack]