>From what I understand, 1) autorun.inf files can be written to automatically execute a program. However, they still need to get user approval through a "Do you trust this program?" kind of message. 2) According to upstream comment, "By setting PCRE_NO_UTF8_CHECK you are guaranteeing that the string is a valid UTF-8 string. If you break your promise, anything might happen.". Some people have already exploited similar bugs to execute an arbitrary payload ( https://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html ).
At worse, I think the bug could be exploited to create a malicious USB/SD Card/Filesystem image to execute arbitrary code without user approval when mounted. It could also be used to run code with gvfs privileges. Not sure if that qualifies as a security issue. The bug does not happen when no user is authenticated (locked screen), so it cannot be used to bypass a login screen. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf Status in gvfs package in Ubuntu: Confirmed Bug description: Reported upstream at https://bugs.exim.org/show_bug.cgi?id=2330 - libpcre3 can be made to crash when matching the pattern \s*= when the context is n\xff= Able to reproduce on current Bionic using the PoC attached (which is copied directly from the upstream bug report) - in a fresh Bionic VM: $ sudo apt install build-essential libgtk2.0-dev $ cd PCRE_PoC $ ./compilePoC.sh $ ./PoC Content: ------------------- n�= ------------------- Pattern: ------------------- \s*= --------------------- Segmentation fault (core dumped) Haven't yet tested the second PoC via an external disk autorun.inf and gvfs-udisks2-volume-monitor. Also haven't tested in Cosmic / older releases To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
