[Bug 1830863] Re: Integer overflow in parse_report (whoopsie.c:425)

Alex Murray alex.murray at canonical.com
Tue Jul 9 01:33:48 UTC 2019 

** Attachment removed: "PoC.tar.bz2"
   https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830863/+attachment/5267311/+files/PoC.tar.bz2

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to whoopsie in Ubuntu.
https://bugs.launchpad.net/bugs/1830863

Title:
  Integer overflow in parse_report (whoopsie.c:425)

Status in Whoopsie:
  New
Status in whoopsie package in Ubuntu:
  Fix Released

Bug description:
  Dear Ubuntu Security Team,

  I would like to report an integer overflow vulnerability in whoopsie.
  In combination with issue 1830858, this vulnerability may enable an
  local attacker to read arbitrary files on the system.

  I have attached a proof-of-concept which triggers the vulnerability. I
  have tested it on an up-to-date Ubuntu 18.04. Run it as follows:

  bunzip2 PoC.tar.bz2
  tar -xf PoC.tar
  cd PoC
  make
  ./killwhoopsie1

  The PoC works by creating a file named
  `/var/crash/killwhoopsie.crash`, just over 4GB in size. It then
  creates a file named `/var/crash/killwhoopsie.upload`, which prompts
  whoopsie to start processing the .crash file. Be aware that whoopsie
  will keep restarting and crash repeatedly until you remove the files
  from /var/crash.

  This is the source location of the integer overflow bug:

  http://bazaar.launchpad.net/~daisy-
  pluckers/whoopsie/trunk/view/698/src/whoopsie.c#L425

  The problem is that the type of value_pos is int, but the size of the
  file can be larger than INT_MAX. My PoC arranges things such that
  value_pos == -16, leading to an out-of-bounds write on line 440.

  Please let me know when you have fixed the vulnerability, so that I
  can coordinate my disclosure with yours. For reference, here is a link
  to Semmle's vulnerability disclosure policy:
  https://lgtm.com/security#disclosure_policy

  Thank you,

  Kevin Backhouse

  Semmle Security Research Team

To manage notifications about this bug go to:
https://bugs.launchpad.net/whoopsie/+bug/1830863/+subscriptions

More information about the foundations-bugs mailing list