Ubuntu
whoopsie package

DoS vulnerability: fail to allocate

Bug #1882180 reported by Seong-Joong Kim
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
whoopsie (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Xenial
Fix Released
Undecided
Marc Deslauriers
Bionic
Fix Released
Undecided
Marc Deslauriers
Eoan
Won't Fix
Undecided
Marc Deslauriers
Focal
Fix Released
Undecided
Marc Deslauriers
Groovy
Fix Released
Undecided
Marc Deslauriers

Bug Description

Hi,

I have found a security issue on whoopsie 0.2.69 and earlier.

# Vulnerability description
In whoopsie 0.2.69 and earlier, there is a denial of service vulnerability in the parse_report function.
A crafted input, i.e., crash report located in '/var/crash/', will lead to a denial of service attack.
During the parsing of the crash report, the data length is not checked.
The value of data length can be directly controlled by an input file.
In the parse_report() function, the g_malloc or g_realloc is called based on data length.
If we set the value of data length close to the amount of system memory, it will cause the daemon process to terminate unexpectedly, hang the system, or trigger the OOM killer.

# PoC
Please check the below whoopsie_killer2.py

Sincerely,

See original description

Related branches

lp:whoopsie

CVE References

Revision history for this message
Seong-Joong Kim (sungjungk) wrote :
Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

This is PoC source code.

description: updated
summary: - Denial of service due to uncaught exception on parse_report()
+ DoS vulnerability: fail to allocate
Leonidas S. Barbosa (leosilvab)
Changed in whoopsie (Ubuntu):
status: New → Confirmed
assignee: nobody → Alex Murray (alexmurray)
Changed in whoopsie (Ubuntu Xenial):
status: New → Confirmed
assignee: nobody → Alex Murray (alexmurray)
Changed in whoopsie (Ubuntu Bionic):
status: New → Confirmed
assignee: nobody → Alex Murray (alexmurray)
Leonidas S. Barbosa (leosilvab)
Changed in whoopsie (Ubuntu Focal):
status: New → Confirmed
assignee: nobody → Alex Murray (alexmurray)
Leonidas S. Barbosa (leosilvab)
Changed in whoopsie (Ubuntu Eoan):
status: New → Confirmed
assignee: nobody → Alex Murray (alexmurray)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks like this is CVE-2020-15570

Changed in whoopsie (Ubuntu Xenial):
assignee: Alex Murray (alexmurray) → Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu Bionic):
assignee: Alex Murray (alexmurray) → Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu Eoan):
assignee: Alex Murray (alexmurray) → Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu Focal):
assignee: Alex Murray (alexmurray) → Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu Groovy):
assignee: Alex Murray (alexmurray) → Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

https://github.com/sungjungk/whoopsie_killer2

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.69ubuntu0.1

---------------
whoopsie (0.2.69ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 08:55:26 -0400

Changed in whoopsie (Ubuntu Focal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.52.5ubuntu0.5

---------------
whoopsie (0.2.52.5ubuntu0.5) xenial-security; urgency=medium

  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 08:55:26 -0400

Changed in whoopsie (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.62ubuntu0.5

---------------
whoopsie (0.2.62ubuntu0.5) bionic-security; urgency=medium

  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 08:55:26 -0400

Changed in whoopsie (Ubuntu Bionic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.71

---------------
whoopsie (0.2.71) groovy; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Brian Murray <email address hidden> Wed, 05 Aug 2020 15:00:45 -0700

Changed in whoopsie (Ubuntu Groovy):
status: Confirmed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

The Eoan Ermine has reached end of life, so this bug will not be fixed for that release

Changed in whoopsie (Ubuntu Eoan):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.