*** This bug is a security vulnerability ***

You have been subscribed to a private security bug by Joshua Peisach 

A bug for the triage/patching of CVE-2022-37290.

In get_basename() and g_file_get_basename(), when the file name cannot
be parsed, NULL is returned; Nautilus does not check this and this
results in a NPD and a crash.

The issue on GNOME GitLab explains this pretty well:

And the code in question is also in Nemo and Caja.

History of the code: The faulty code was introduced in Nautilus 2.20,
before Nemo and Caja were forked; these file managers have the same
issue and same code in the function.

The simplest POC I found was running this via DBus, which I'm not 100%
sure if I've altered correctly for Nemo and Caja, but regardless for
Nautilus this results in a crash.

Nov 27 20:38:32 Joshua-2210Test nautilus[5433]: g_object_ref: assertion 
'G_IS_OBJECT (object)' failed
Nov 27 20:38:32 Joshua-2210Test kernel: [  825.449866] pool-org.gnome.[5439]: 
segfault at 0 ip 00007f3058c6c570 sp 00007f3051dfa968 error 4 in 
Nov 27 20:38:32 Joshua-2210Test kernel: [  825.449878] Code: 0f 85 bc fe ff ff 
e9 42 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 48 89 
d1 48 85 f6 0f 89 b0 00 00 00 <0f> b6 07 84 c0 75 15 eb 27 0f 1f 80 00 00 00 00 
0f b6 42 01 48 8d

Attached is the poc.py, made by Wu Chunming.

** Nemo **
Upstream, version 5.6.0:
(more advanced/verbose) upstream patch: 
possible further problems: 

ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: nautilus 1:43.0-1ubuntu1
ProcVersionSignature: Ubuntu 5.19.0-23.24-generic 5.19.7
Uname: Linux 5.19.0-23-generic x86_64
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Sun Nov 27 20:41:20 2022

InstallationDate: Installed on 2022-09-18 (70 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220918)
 PATH=(custom, no user)
SourcePackage: nautilus
UpgradeStatus: No upgrade log present (probably fresh install)
 file-roller                       43.0-1
 nautilus-extension-gnome-terminal 3.46.2-1ubuntu1

** Affects: caja (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: nautilus (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: nemo (Ubuntu)
     Importance: Undecided
         Status: New

** Tags: amd64 apport-bug bionic focal jammy kinetic wayland-session
CVE-2022-37290: Pasted zip archive/invalid file causes NPD
You received this bug notification because you are a member of Ubuntu Cinnamon 
Developers, which is subscribed to the bug report.

universe-bugs mailing list

Reply via email to