[Touch-packages] [Bug 1830865] Re: Integer overflow in bson_ensure_space (bson.c:613)
** Tags added: id-5d6412d0de485863a95da846 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1830865 Title: Integer overflow in bson_ensure_space (bson.c:613) Status in whoopsie package in Ubuntu: Fix Released Bug description: Dear Ubuntu Security Team, I would like to report an integer overflow vulnerability in whoopsie. In combination with issue 1830858, this vulnerability may enable an local attacker to read arbitrary files on the system. I have attached a proof-of-concept which triggers the vulnerability. I have tested it on an up-to-date Ubuntu 18.04. Run it as follows: bunzip2 PoC.tar.bz2 tar -xf PoC.tar cd PoC make ./killwhoopsie2 The PoC works by creating a file named `/var/crash/killwhoopsie.crash`, just over 2GB in size. It then creates a file named `/var/crash/killwhoopsie.upload`, which prompts whoopsie to start processing the .crash file. This is the source location of the integer overflow bug: http://bazaar.launchpad.net/~daisy- pluckers/whoopsie/trunk/view/698/lib/bson/bson.c#L613 The problem is that the types of pos, bytesNeeded, and b->dataSize are all int. My PoC triggers an integer overflow in the calculation of pos + bytesNeeded, which causes bson_ensure_space to return immediately on line 614 without allocating more space. This leads subsequently to a heap buffer overflow on line 738: http://bazaar.launchpad.net/~daisy- pluckers/whoopsie/trunk/view/698/lib/bson/bson.c#L738 Please let me know when you have fixed the vulnerability, so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy Thank you, Kevin Backhouse Semmle Security Research Team To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830865/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1830865] Re: Integer overflow in bson_ensure_space (bson.c:613)
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1830865 Title: Integer overflow in bson_ensure_space (bson.c:613) Status in whoopsie package in Ubuntu: Fix Released Bug description: Dear Ubuntu Security Team, I would like to report an integer overflow vulnerability in whoopsie. In combination with issue 1830858, this vulnerability may enable an local attacker to read arbitrary files on the system. I have attached a proof-of-concept which triggers the vulnerability. I have tested it on an up-to-date Ubuntu 18.04. Run it as follows: bunzip2 PoC.tar.bz2 tar -xf PoC.tar cd PoC make ./killwhoopsie2 The PoC works by creating a file named `/var/crash/killwhoopsie.crash`, just over 2GB in size. It then creates a file named `/var/crash/killwhoopsie.upload`, which prompts whoopsie to start processing the .crash file. This is the source location of the integer overflow bug: http://bazaar.launchpad.net/~daisy- pluckers/whoopsie/trunk/view/698/lib/bson/bson.c#L613 The problem is that the types of pos, bytesNeeded, and b->dataSize are all int. My PoC triggers an integer overflow in the calculation of pos + bytesNeeded, which causes bson_ensure_space to return immediately on line 614 without allocating more space. This leads subsequently to a heap buffer overflow on line 738: http://bazaar.launchpad.net/~daisy- pluckers/whoopsie/trunk/view/698/lib/bson/bson.c#L738 Please let me know when you have fixed the vulnerability, so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy Thank you, Kevin Backhouse Semmle Security Research Team To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830865/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
