[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
This bug was fixed in the package gvfs - 1.36.1-0ubuntu1.2 --- gvfs (1.36.1-0ubuntu1.2) bionic; urgency=medium * debian/patches/git_smb_writing.patch: - Use O_RDWR to fix fstat when writing (lp: #1803158) * debian/patches/git_invalid_autorun.patch: - common: Prevent crashes on invalid autorun file (lp: #1798725) * debian/patches/git_channel_lock.patch: - daemon: Prevent deadlock and invalid read when closing channels (lp: #1630905) * debian/patches/git_dav_lockups.patch: - workaround libsoup limitation to prevent dav lockups (lp: #1792878) * debian/patches/git_smb_nt1.patch: - smbbrowse: Force NT1 protocol version for workgroup support (lp: #1778322) * debian/patches/git_smb_directory.patch: - smb: Add workaround to fix removal of non-empty dir (lp: #1803190) -- Sebastien Bacher Tue, 13 Nov 2018 17:09:03 +0100 ** Changed in: gvfs (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
This bug was fixed in the package gvfs - 1.38.1-0ubuntu1.1 --- gvfs (1.38.1-0ubuntu1.1) cosmic; urgency=medium * debian/patches/series: - include git_invalid_autorun.patch which was mentioned in the previous upload but not added to the serie gvfs (1.38.1-0ubuntu1) cosmic; urgency=medium * New upstream version (lp: #1803186) - smbbrowse: Force NT1 protocol version for workgroup support (lp: #1778322) * debian/patches/git_invalid_autorun.patch: - common: Prevent crashes on invalid autorun file (lp: #1798725) -- Sebastien Bacher Wed, 21 Nov 2018 15:03:01 +0100 ** Changed in: gvfs (Ubuntu Cosmic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
Tested the new version in cosmic-proposed on an up-to-date cosmic VM by inserting a USB drive with the attached autorun.inf and it passes. Steps to test locally as follows: 1. Enabled cosmic-proposed 2. sudo apt-get dist-upgrade 3. sudo reboot On next boot with the autorun.inf on a local USB drive: $ dmesg | grep gvfs $ apt-cache policy gvfs gvfs: Installed: 1.38.1-0ubuntu1.1 Candidate: 1.38.1-0ubuntu1.1 Version table: *** 1.38.1-0ubuntu1.1 500 500 http://archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages 100 /var/lib/dpkg/status 1.38.0-2ubuntu2 500 500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages ** Tags removed: verification-needed-cosmic ** Tags added: verification-done-cosmic -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
Hello Alex, or anyone else affected, Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Tags removed: verification-failed-cosmic ** Tags added: verification-needed-cosmic -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
@amurray, thx, indeed the patch is missing from the serie on cosmic, I did another upload to fix that one -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
Tested the version from bionic-proposed in an up-to-date VM and it passed Steps to test locally as follows: 1. Enabled bionic-proposed 2. sudo apt-get dist-upgrade 3. sudo reboot On next boot with the autorun.inf on a local USB drive: $ dmesg | grep gvfs $ apt-cache policy gvfs gvfs: Installed: 1.36.1-0ubuntu1.2 Candidate: 1.36.1-0ubuntu1.2 Version table: *** 1.36.1-0ubuntu1.2 500 500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages 100 /var/lib/dpkg/status 1.36.1-0ubuntu1.1 500 500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 1.36.1-0ubuntu1 500 500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
Tested the version from cosmic-proposed in an up-to-date VM and it failed - looks like this is not actually applied during the build - see the build log https://launchpadlibrarian.net/398362236/buildlog_ubuntu- cosmic-amd64.gvfs_1.38.1-0ubuntu1_BUILDING.txt.gz and notice it is never listed during unpacking Steps to test locally as follows: 1. Enabled cosmic-proposed 2. sudo apt-get dist-upgrade 3. sudo reboot On next boot with the autorun.inf on a local USB drive: $ dmesg | grep gvfs [ 57.813663] gvfs-udisks2-vo[1777]: segfault at 7fe470b0a180 ip 7fe470a5b6a6 sp 7ffeeec746f0 error 4 in libpcre.so.3.13.3[7fe470a45000+52000] [ 176.066448] gvfs-udisks2-vo[2294]: segfault at 7f9bf21c9180 ip 7f9bf211a6a6 sp 7ffd2cc2ef60 error 4 in libpcre.so.3.13.3[7f9bf2104000+52000] $ apt-cache policy gvfs gvfs: Installed: 1.38.1-0ubuntu1 Candidate: 1.38.1-0ubuntu1 Version table: *** 1.38.1-0ubuntu1 500 500 http://archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages 100 /var/lib/dpkg/status 1.38.0-2ubuntu2 500 500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages ** Tags removed: verification-needed-cosmic ** Tags added: verification-failed-cosmic -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
Hello Alex, or anyone else affected, Accepted gvfs into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.36.1-0ubuntu1.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: gvfs (Ubuntu Bionic) Status: New => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
Hello Alex, or anyone else affected, Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: gvfs (Ubuntu Cosmic) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-cosmic -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
This bug was fixed in the package gvfs - 1.38.1-1ubuntu2 --- gvfs (1.38.1-1ubuntu2) disco; urgency=medium * d/p/common-Prevent-crashes-on-invalid-autorun-file.patch: - common: Prevent crashes on invalid autorun file (lp: #1798725) -- Sebastien Bacher Tue, 13 Nov 2018 22:18:59 +0100 ** Changed in: gvfs (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
@Seb - also I rebuilt gvfs locally for bionic with that upstream patch added and can confirm it does not segfault after that - would be happy to test your SRUd version and confirm it as well if needed. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
@Seb - so there is an autorun.inf in the original tarball which can be used (I will attach it separately here as well) - and this reproduces the crash for me - I just copied it to a FAT formatted USB drive, plugged it in and then in dmesg: [ 40.361136] gvfs-udisks2-vo[1563]: segfault at 7f3c60a485e0 ip 7f3c6099ef86 sp 7ffe34884e10 error 4 in libpcre.so.3.13.3[7f3c60983000+7] [ 51.023933] gvfs-udisks2-vo[1805]: segfault at 7fb5ef2205e0 ip 7fb5ef176f86 sp 7fff3e059160 error 4 in libpcre.so.3.13.3[7fb5ef15b000+7] And eventually apport popped up as well (gvfs-udisks2-volume-monitor crashed with SIGSEGV in pcre_exec()). ** Attachment added: "autorun.inf" https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+attachment/5212446/+files/autorun.inf -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
@Alex, I've uploaded to disco and since I was doing a SRU for cosmic/bionic I included it there, would be nice if you could help with a better testcase though? -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
** Description changed: + * Impact + + gvfs can be made to segfault by being provided an invalid autorun.inf + + * Test Case + + Use the proof of concept from bellow to generate an invalid autorun.inf + and place it on an usb drive, connect the drive to the computer, gvfs + shouldn't hit a segfault + + * Regression potential + + Check that the autorun feature keeps working + + --- + Reported upstream at https://bugs.exim.org/show_bug.cgi?id=2330 - libpcre3 can be made to crash when matching the pattern \s*= when the context is n\xff= Able to reproduce on current Bionic using the PoC attached (which is copied directly from the upstream bug report) - in a fresh Bionic VM: $ sudo apt install build-essential libgtk2.0-dev $ cd PCRE_PoC $ ./compilePoC.sh - $ ./PoC + $ ./PoC Content: --- n�= --- Pattern: --- \s*= - Segmentation fault (core dumped) Haven't yet tested the second PoC via an external disk autorun.inf and gvfs-udisks2-volume-monitor. Also haven't tested in Cosmic / older releases -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
** Changed in: gvfs (Ubuntu) Importance: Undecided => High ** Changed in: gvfs (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
>From what I understand, 1) autorun.inf files can be written to automatically execute a program. However, they still need to get user approval through a "Do you trust this program?" kind of message. 2) According to upstream comment, "By setting PCRE_NO_UTF8_CHECK you are guaranteeing that the string is a valid UTF-8 string. If you break your promise, anything might happen.". Some people have already exploited similar bugs to execute an arbitrary payload ( https://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html ). At worse, I think the bug could be exploited to create a malicious USB/SD Card/Filesystem image to execute arbitrary code without user approval when mounted. It could also be used to run code with gvfs privileges. Not sure if that qualifies as a security issue. The bug does not happen when no user is authenticated (locked screen), so it cannot be used to bypass a login screen. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf
What does an autorun.inf file do? If an autorun.inf file can tell gvfs to execute something directly, then it's probably not too critical that a malicious one can cause memory errors in gvfs. It could probably just have an evil payload as a command. Thanks -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs