[Touch-packages] [Bug 1810241] Re: NULL dereference when decompressing specially crafted archives
Update to my comment, issue is applicable to versions prior to 1.32 of TAR. Be that as it may, Jammy is not affected. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1810241 Title: NULL dereference when decompressing specially crafted archives Status in tar package in Ubuntu: Triaged Bug description: Hi, Fuzzing tar with checksums disabled reveals a NULL pointer dereference when parsing certain archives that have malformed extended headers. This affects tar from (at least) Trusty, Bionic and Cosmic. I haven't tested Xenial's version. A test case with fixed checksums is attached. To avoid breaking anything that looks inside tar archives, I have converted it to text with xxd. To reproduce: $ xxd -r gnutar-crash.tar.txt gnutar-crash.tar $ tar Oxf gnutar-crash.tar tar: Ignoring unknown extended header keyword 'GNU.sparse.minTr' tar: Malformed extended header: missing length Segmentation fault (core dumped) I have also attached a patch against the latest upstream git and against 1.30 (in Cosmic). This fixes the issue by detecting the null result before it is dereferenced. Regards, Daniel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1810241] Re: NULL dereference when decompressing specially crafted archives
This issue is shown as Open on Jammy. The CVE is applicable to 1.32 and prior versions of TAR. Jammy uses 1.34, so this status should be not affected or closed. This was fixed in Focal in 1.30+dfsg-7ubuntu0.20.04.1. Please update the CVE status on Jammy. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1810241 Title: NULL dereference when decompressing specially crafted archives Status in tar package in Ubuntu: Triaged Bug description: Hi, Fuzzing tar with checksums disabled reveals a NULL pointer dereference when parsing certain archives that have malformed extended headers. This affects tar from (at least) Trusty, Bionic and Cosmic. I haven't tested Xenial's version. A test case with fixed checksums is attached. To avoid breaking anything that looks inside tar archives, I have converted it to text with xxd. To reproduce: $ xxd -r gnutar-crash.tar.txt gnutar-crash.tar $ tar Oxf gnutar-crash.tar tar: Ignoring unknown extended header keyword 'GNU.sparse.minTr' tar: Malformed extended header: missing length Segmentation fault (core dumped) I have also attached a patch against the latest upstream git and against 1.30 (in Cosmic). This fixes the issue by detecting the null result before it is dereferenced. Regards, Daniel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971001] Re: Multiple vulnerabilities in Trusty, Xenial, Bionic, Focal and Jammy
typo in my comment, recommendation is to build tiff with libjbig disabled... sorry.. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tiff in Ubuntu. https://bugs.launchpad.net/bugs/1971001 Title: Multiple vulnerabilities in Trusty, Xenial, Bionic, Focal and Jammy Status in tiff package in Ubuntu: In Progress Bug description: The versions in Trusty, Xenial, Bionic, Focal and Jammy may be vulnerable to all CVEs below. Debian released an advisory on March 24. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1971001/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971001] Re: Multiple vulnerabilities in Trusty, Xenial, Bionic, Focal and Jammy
Can Ubuntu address CVE-2022-1210 similar to other Linux Distros (RHEL, SUSE, YOCTO,...) with not building tiff with JBIG disabled since the bug is really in libjbig (build with --disable-jbig) . See Fedora Bug Tracker https://bugzilla.redhat.com/show_bug.cgi?id=2072615 ** Bug watch added: Red Hat Bugzilla #2072615 https://bugzilla.redhat.com/show_bug.cgi?id=2072615 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tiff in Ubuntu. https://bugs.launchpad.net/bugs/1971001 Title: Multiple vulnerabilities in Trusty, Xenial, Bionic, Focal and Jammy Status in tiff package in Ubuntu: In Progress Bug description: The versions in Trusty, Xenial, Bionic, Focal and Jammy may be vulnerable to all CVEs below. Debian released an advisory on March 24. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1971001/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1925348] Re: stack-overflow on GNU libiberty/rust-demangle.c:664 demangle_path
What is the status of this CVE with Ubuntu Jammy? This was fixed in the upstream in January/February 2022, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99935#c11 ** Bug watch added: GCC Bugzilla #99935 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99935 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to binutils in Ubuntu. https://bugs.launchpad.net/bugs/1925348 Title: stack-overflow on GNU libiberty/rust-demangle.c:664 demangle_path Status in binutils package in Ubuntu: Confirmed Bug description: stack-overflowon GNU libiberty/rust-demangle.c:664 demangle_path when we run ./cxxfilt ./crashs/poc ./crash/poc:�@}@�^_RB_RB999IRB�RBRB ==34504==ERROR: AddressSanitizer: stack-overflow on address 0x7ffee6038f48 (pc 0x006a3331 bp 0x7ffee6039060 sp 0x7ffee6038f20 T0) #0 0x6a3330 in demangle_path rust-demangle.c:664 #1 0x6a3bd1 in demangle_path rust-demangle.c:774 #2 0x6a3bd1 in demangle_path rust-demangle.c:774 #3 0x6a3bd1 in demangle_path rust-demangle.c:774 #4 0x6a3bd1 in demangle_path rust-demangle.c:774 #5 0x6a3bd1 in demangle_path rust-demangle.c:774 #6 0x6a3bd1 in demangle_path rust-demangle.c:774 #7 0x6a3bd1 in demangle_path rust-demangle.c:774 #8 0x6a3bd1 in demangle_path rust-demangle.c:774 #9 0x6a3bd1 in demangle_path rust-demangle.c:774 #10 0x6a3bd1 in demangle_path rust-demangle.c:774 #11 0x6a3bd1 in demangle_path rust-demangle.c:774 #12 0x6a3bd1 in demangle_path rust-demangle.c:774 #13 0x6a3bd1 in demangle_path rust-demangle.c:774 #14 0x6a3bd1 in demangle_path rust-demangle.c:774 #15 0x6a3bd1 in demangle_path rust-demangle.c:774 #16 0x6a3bd1 in demangle_path rust-demangle.c:774 #17 0x6a3bd1 in demangle_path rust-demangle.c:774 #18 0x6a3bd1 in demangle_path rust-demangle.c:774 #19 0x6a3bd1 in demangle_path rust-demangle.c:774 #20 0x6a3bd1 in demangle_path rust-demangle.c:774 #21 0x6a3bd1 in demangle_path rust-demangle.c:774 #22 0x6a3bd1 in demangle_path rust-demangle.c:774 #23 0x6a3bd1 in demangle_path rust-demangle.c:774 #24 0x6a3bd1 in demangle_path rust-demangle.c:774 #25 0x6a3bd1 in demangle_path rust-demangle.c:774 #26 0x6a3bd1 in demangle_path rust-demangle.c:774 #27 0x6a3bd1 in demangle_path rust-demangle.c:774 #28 0x6a3bd1 in demangle_path rust-demangle.c:774 #29 0x6a3bd1 in demangle_path rust-demangle.c:774 #30 0x6a3bd1 in demangle_path rust-demangle.c:774 #31 0x6a3bd1 in demangle_path rust-demangle.c:774 #32 0x6a3bd1 in demangle_path rust-demangle.c:774 #33 0x6a3bd1 in demangle_path rust-demangle.c:774 #34 0x6a3bd1 in demangle_path rust-demangle.c:774 #35 0x6a3bd1 in demangle_path rust-demangle.c:774 #36 0x6a3bd1 in demangle_path rust-demangle.c:774 #37 0x6a3bd1 in demangle_path rust-demangle.c:774 #38 0x6a3bd1 in demangle_path rust-demangle.c:774 #39 0x6a3bd1 in demangle_path rust-demangle.c:774 #40 0x6a3bd1 in demangle_path rust-demangle.c:774 #41 0x6a3bd1 in demangle_path rust-demangle.c:774 #42 0x6a3bd1 in demangle_path rust-demangle.c:774 #43 0x6a3bd1 in demangle_path rust-demangle.c:774 #44 0x6a3bd1 in demangle_path rust-demangle.c:774 #45 0x6a3bd1 in demangle_path rust-demangle.c:774 #46 0x6a3bd1 in demangle_path rust-demangle.c:774 #47 0x6a3bd1 in demangle_path rust-demangle.c:774 #48 0x6a3bd1 in demangle_path rust-demangle.c:774 #49 0x6a3bd1 in demangle_path rust-demangle.c:774 #50 0x6a3bd1 in demangle_path rust-demangle.c:774 #51 0x6a3bd1 in demangle_path rust-demangle.c:774 #52 0x6a3bd1 in demangle_path rust-demangle.c:774 #53 0x6a3bd1 in demangle_path rust-demangle.c:774 #54 0x6a3bd1 in demangle_path rust-demangle.c:774 #55 0x6a3bd1 in demangle_path rust-demangle.c:774 #56 0x6a3bd1 in demangle_path rust-demangle.c:774 #57 0x6a3bd1 in demangle_path rust-demangle.c:774 #58 0x6a3bd1 in demangle_path rust-demangle.c:774 #59 0x6a3bd1 in demangle_path rust-demangle.c:774 #60 0x6a3bd1 in demangle_path rust-demangle.c:774 #61 0x6a3bd1 in demangle_path rust-demangle.c:774 #62 0x6a3bd1 in demangle_path rust-demangle.c:774 #63 0x6a3bd1 in demangle_path rust-demangle.c:774 #64 0x6a3bd1 in demangle_path rust-demangle.c:774 #65 0x6a3bd1 in demangle_path rust-demangle.c:774 #66 0x6a3bd1 in demangle_path rust-demangle.c:774 #67 0x6a3bd1 in demangle_path rust-demangle.c:774 #68 0x6a3bd1 in demangle_path rust-demangle.c:774 #69 0x6a3bd1 in demangle_path rust-demangle.c:774 #70 0x6a3bd1 in demangle_path rust-demangle.c:774 #71 0x6a3bd1 in demangle_path rust-demangle.c:774 #72 0x6a3bd1 in demangle_path rust-demangle.c:774 #73 0x6a3bd1 in demangle_path
