[Bug 1502912] Re: gvfsd-dav: null pointer dereference if server response is not escaped
Sebastien Bacher
seb128 at ubuntu.com
Tue Oct 6 08:04:59 UTC 2015
git commit on
https://git.gnome.org/browse/gvfs/commit/?h=gnome-3-12&id=0abdd97989d5274d84017490aff3bf07a71fd672
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1502912
Title:
gvfsd-dav: null pointer dereference if server response is not escaped
Status in gvfs package in Ubuntu:
Fix Released
Bug description:
My colleague Gustavo Nunes Pereira has found that gvfsd-dav was
crashing with a SEGFAULT on some of our WebDAV mounts. I'm not sure if
this is exploitable, but it is caused by a null pointer dereference
when listing remote files in a directory if the server returns a non-
escaped filename.
A backtrace follows:
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x000000000040ab4c in path_equal (
a=a at entry=0x7fffd80cc150 "/alfresco/webdav/Sites/editaisproad/documentLibrary/Editais_PROAD/ARQUIVOS EDNA-EDLAINE/justificativa_25%.docx",
b=<optimized out>, relax=1) at gvfsbackenddav.c:243
#2 0x000000000040b9f9 in path_equal (relax=1, b=<optimized out>,
a=0x7fffd80cc150 "/alfresco/webdav/Sites/editaisproad/documentLibrary/Editais_PROAD/ARQUIVOS EDNA-EDLAINE/justificativa_25%.docx")
at gvfsbackenddav.c:237
#3 multistatus_get_response (resp_iter=resp_iter at entry=0x7fffe3dfbd50, response=response at entry=0x7fffe3dfbd30) at gvfsbackenddav.c:856
#4 0x000000000040c8ee in do_enumerate (backend=<optimized out>, job=0x63f190, filename=<optimized out>, matcher=<optimized out>, flags=<optimized out>)
at gvfsbackenddav.c:2211
#5 0x00007ffff7bc4dea in g_vfs_job_run (job=0x63f190) at gvfsjob.c:197
#6 0x00007ffff64d488c in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7 0x00007ffff64d3f05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#8 0x00007ffff6250182 in start_thread (arg=0x7fffe3dfc700) at pthread_create.c:312
#9 0x00007ffff5f7d47d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
This bug cannot be reproduced using the master branch from the gvfs
repository. It was already fixed by upstream commit
https://git.gnome.org/browse/gvfs/patch/?id=f81ff2108ab3b6e370f20dcadd8708d23f499184
which can be applied cleanly against Ubuntu's gvfs 1.20.3.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: gvfs 1.20.3-0ubuntu1.2
ProcVersionSignature: Ubuntu 3.13.0-65.105-generic 3.13.11-ckt26
Uname: Linux 3.13.0-65-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.14.1-0ubuntu3.15
Architecture: amd64
Date: Mon Oct 5 10:44:59 2015
InstallationDate: Installed on 2014-07-10 (451 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: gvfs
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1502912/+subscriptions
More information about the Ubuntu-sponsors
mailing list