Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello, developers of jhead.
We have found an exploit that allows running an arbitrary shell command due to improper input validation (CWE-20). This pull request fixes this vulnerability.
Details
In the function RegenerateThumbnail in the file jhead.c, system() is called with a string that contains a user-provided filename,
leaving it open to attack by using a crafted filename.
System Info
5.10.104-linuxkit: clang 10.0.0-4ubuntu1, gcc 9.4.0
jhead 3.06.0.1, commit 78057ab
All testing was done in a Docker container, but this vulnerability should affect all platforms.
Verification
Download test.jpeg.
This will work with any image with an EXIF thumbnail. The program exiftran can be used to add a
thumbnail to an image that lacks one.
Whether the mogrify command exists does not affect the functioning of the exploit.
Fix
I added a check for certain characters in the filename in RegenerateThumbnail:
I also replaced a call to
sprintf
withsnprintf
in RegenerateThumbnail.After applying the patch, files with invalid characters (such as quotes and other symbols with special meaning on the shell)
will be disallowed from being used in RegenerateThumbnail:
A better solution would be to use a function such as
execve
on UNIX-based systems. I chose not to include this in the patchas it would complicate compilation on Windows-based systems, but it should also be possible to call a Windows API function such
as
CreateProcess
orShellExecute
to run the command.