Ubuntu
whoopsie package

Bug #1830863
Comment #4

Comment 4 for bug 1830863

Revision history for this message

kev (kbackhouse2000) wrote on 2019-06-14: Re: [Bug 1830863] Re: Integer overflow in parse_report (whoopsie.c:425)

Hi Alex,

Yes, 9th July sounds good. I think it makes sense to disclose this issue on
the same day as issue 1830858.

Thanks,

Kev

On Thu, Jun 13, 2019 at 1:41 PM Alex Murray <email address hidden>
wrote:

> Kevin, do you have a preferred disclosure date / time for this? I notice
> your policy says 90 days after initial report or 30 days after patch
> availability - I will be working on a patch for this issue and hope to
> have something together in the next week or so - and so would prefer a
> CRD in about 3-4 weeks time. How would 9th July suit you?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1830863
>
> Title:
> Integer overflow in parse_report (whoopsie.c:425)
>
> Status in whoopsie package in Ubuntu:
> New
>
> Bug description:
> Dear Ubuntu Security Team,
>
> I would like to report an integer overflow vulnerability in whoopsie.
> In combination with issue 1830858, this vulnerability may enable an
> local attacker to read arbitrary files on the system.
>
> I have attached a proof-of-concept which triggers the vulnerability. I
> have tested it on an up-to-date Ubuntu 18.04. Run it as follows:
>
> bunzip2 PoC.tar.bz2
> tar -xf PoC.tar
> cd PoC
> make
> ./killwhoopsie1
>
> The PoC works by creating a file named
> `/var/crash/killwhoopsie.crash`, just over 4GB in size. It then
> creates a file named `/var/crash/killwhoopsie.upload`, which prompts
> whoopsie to start processing the .crash file. Be aware that whoopsie
> will keep restarting and crash repeatedly until you remove the files
> from /var/crash.
>
> This is the source location of the integer overflow bug:
>
> http://bazaar.launchpad.net/~daisy-
> pluckers/whoopsie/trunk/view/698/src/whoopsie.c#L425
>
> The problem is that the type of value_pos is int, but the size of the
> file can be larger than INT_MAX. My PoC arranges things such that
> value_pos == -16, leading to an out-of-bounds write on line 440.
>
> Please let me know when you have fixed the vulnerability, so that I
> can coordinate my disclosure with yours. For reference, here is a link
> to Semmle's vulnerability disclosure policy:
> https://lgtm.com/security#disclosure_policy
>
> Thank you,
>
> Kevin Backhouse
>
> Semmle Security Research Team
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830863/+subscriptions
>

Hi Alex,

Yes, 9th July sounds good. I think it makes sense to disclose this issue on
the same day as issue 1830858.

Thanks,

Kev

On Thu, Jun 13, 2019 at 1:41 PM Alex Murray <alex.murray@canonical.com>
wrote:

> Kevin, do you have a preferred disclosure date / time for this? I notice
> your policy says 90 days after initial report or 30 days after patch
> availability - I will be working on a patch for this issue and hope to
> have something together in the next week or so - and so would prefer a
> CRD in about 3-4 weeks time. How would 9th July suit you?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1830863
>
> Title:
>   Integer overflow in parse_report (whoopsie.c:425)
>
> Status in whoopsie package in Ubuntu:
>   New
>
> Bug description:
>   Dear Ubuntu Security Team,
>
>   I would like to report an integer overflow vulnerability in whoopsie.
>   In combination with issue 1830858, this vulnerability may enable an
>   local attacker to read arbitrary files on the system.
>
>   I have attached a proof-of-concept which triggers the vulnerability. I
>   have tested it on an up-to-date Ubuntu 18.04. Run it as follows:
>
>   bunzip2 PoC.tar.bz2
>   tar -xf PoC.tar
>   cd PoC
>   make
>   ./killwhoopsie1
>
>   The PoC works by creating a file named
>   `/var/crash/killwhoopsie.crash`, just over 4GB in size. It then
>   creates a file named `/var/crash/killwhoopsie.upload`, which prompts
>   whoopsie to start processing the .crash file. Be aware that whoopsie
>   will keep restarting and crash repeatedly until you remove the files
>   from /var/crash.
>
>   This is the source location of the integer overflow bug:
>
>   http://bazaar.launchpad.net/~daisy-
>   pluckers/whoopsie/trunk/view/698/src/whoopsie.c#L425
>
>   The problem is that the type of value_pos is int, but the size of the
>   file can be larger than INT_MAX. My PoC arranges things such that
>   value_pos == -16, leading to an out-of-bounds write on line 440.
>
>   Please let me know when you have fixed the vulnerability, so that I
>   can coordinate my disclosure with yours. For reference, here is a link
>   to Semmle's vulnerability disclosure policy:
>   https://lgtm.com/security#disclosure_policy
>
>   Thank you,
>
>   Kevin Backhouse
>
>   Semmle Security Research Team
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830863/+subscriptions
>

Ubuntuwhoopsie package

Comment 4 for bug 1830863

Ubuntu
whoopsie package