gvfs may crash when parsing non-valid UTF8 in autorun.inf

I have reworked the PoC to one which allows to reproduce the crash directly just using libpcre, and have verified this works directly on the upstream libpcre releases 8.39, 8.40, 8.41 & 8.42 - waiting on response from upstream - https://bugs.exim.org/show_bug.cgi?id=2330#c2

Seems this is a bug in gvfs not properly validating as UTF8 before calling into glib: https://bugs.exim.org/show_bug.cgi?id=2330#c9

This was fixed in upstream commit https://gitlab.gnome.org/GNOME/gvfs/commit/a23eb6f14eb3cffa1585d4e5e566f779337d1e04

Uncertain whether this qualifies as a security issue - there doesn't seem to be any real security impact from the bug - so unmarking this as a security issue now.

What does an autorun.inf file do?

If an autorun.inf file can tell gvfs to execute something directly, then it's probably not too critical that a malicious one can cause memory errors in gvfs. It could probably just have an evil payload as a command.

Thanks

From what I understand,

1) autorun.inf files can be written to automatically execute a program. However, they still need to get user approval through a "Do you trust this program?" kind of message.
2) According to upstream comment, "By setting PCRE_NO_UTF8_CHECK you are guaranteeing that the string is a valid UTF-8 string. If you break your promise, anything might happen.". Some people have already exploited similar bugs to execute an arbitrary payload ( https://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html ).

At worse, I think the bug could be exploited to create a malicious USB/SD Card/Filesystem image to execute arbitrary code without user approval when mounted. It could also be used to run code with gvfs privileges.
Not sure if that qualifies as a security issue. The bug does not happen when no user is authenticated (locked screen), so it cannot be used to bypass a login screen.

@Alex, I've uploaded to disco and since I was doing a SRU for cosmic/bionic I included it there, would be nice if you could help with a better testcase though?

@Seb - so there is an autorun.inf in the original tarball which can be used (I will attach it separately here as well) - and this reproduces the crash for me - I just copied it to a FAT formatted USB drive, plugged it in and then in dmesg:

[ 40.361136] gvfs-udisks2-vo[1563]: segfault at 7f3c60a485e0 ip 00007f3c6099ef86 sp 00007ffe34884e10 error 4 in libpcre.so.3.13.3[7f3c60983000+70000]
[ 51.023933] gvfs-udisks2-vo[1805]: segfault at 7fb5ef2205e0 ip 00007fb5ef176f86 sp 00007fff3e059160 error 4 in libpcre.so.3.13.3[7fb5ef15b000+70000]

And eventually apport popped up as well (gvfs-udisks2-volume-monitor crashed with SIGSEGV in pcre_exec()).

@Seb - also I rebuilt gvfs locally for bionic with that upstream patch added and can confirm it does not segfault after that - would be happy to test your SRUd version and confirm it as well if needed.

This bug was fixed in the package gvfs - 1.38.1-1ubuntu2

---------------
gvfs (1.38.1-1ubuntu2) disco; urgency=medium

  * d/p/common-Prevent-crashes-on-invalid-autorun-file.patch:
    - common: Prevent crashes on invalid autorun file (lp: #1798725)

 -- Sebastien Bacher <email address hidden> Tue, 13 Nov 2018 22:18:59 +0100

Hello Alex, or anyone else affected,

Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Alex, or anyone else affected,

Accepted gvfs into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.36.1-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Tested the version from cosmic-proposed in an up-to-date VM and it failed - looks like this is not actually applied during the build - see the build log https://launchpadlibrarian.net/398362236/buildlog_ubuntu-cosmic-amd64.gvfs_1.38.1-0ubuntu1_BUILDING.txt.gz and notice it is never listed during unpacking

Steps to test locally as follows:

1. Enabled cosmic-proposed
2. sudo apt-get dist-upgrade
3. sudo reboot

On next boot with the autorun.inf on a local USB drive:

$ dmesg | grep gvfs
[ 57.813663] gvfs-udisks2-vo[1777]: segfault at 7fe470b0a180 ip 00007fe470a5b6a6 sp 00007ffeeec746f0 error 4 in libpcre.so.3.13.3[7fe470a45000+52000]
[ 176.066448] gvfs-udisks2-vo[2294]: segfault at 7f9bf21c9180 ip 00007f9bf211a6a6 sp 00007ffd2cc2ef60 error 4 in libpcre.so.3.13.3[7f9bf2104000+52000]
$ apt-cache policy gvfs
gvfs:
  Installed: 1.38.1-0ubuntu1
  Candidate: 1.38.1-0ubuntu1
  Version table:
 *** 1.38.1-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.38.0-2ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages

Tested the version from bionic-proposed in an up-to-date VM and it passed

Steps to test locally as follows:

1. Enabled bionic-proposed
2. sudo apt-get dist-upgrade
3. sudo reboot

On next boot with the autorun.inf on a local USB drive:

$ dmesg | grep gvfs
$ apt-cache policy gvfs
gvfs:
  Installed: 1.36.1-0ubuntu1.2
  Candidate: 1.36.1-0ubuntu1.2
  Version table:
 *** 1.36.1-0ubuntu1.2 500
        500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.36.1-0ubuntu1.1 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
     1.36.1-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

@amurray, thx, indeed the patch is missing from the serie on cosmic, I did another upload to fix that one

Hello Alex, or anyone else affected,

Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Tested the new version in cosmic-proposed on an up-to-date cosmic VM by inserting a USB drive with the attached autorun.inf and it passes.

Steps to test locally as follows:

1. Enabled cosmic-proposed
2. sudo apt-get dist-upgrade
3. sudo reboot

On next boot with the autorun.inf on a local USB drive:

$ dmesg | grep gvfs
$ apt-cache policy gvfs
gvfs:
  Installed: 1.38.1-0ubuntu1.1
  Candidate: 1.38.1-0ubuntu1.1
  Version table:
 *** 1.38.1-0ubuntu1.1 500
        500 http://archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.38.0-2ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages

This bug was fixed in the package gvfs - 1.38.1-0ubuntu1.1

---------------
gvfs (1.38.1-0ubuntu1.1) cosmic; urgency=medium

  * debian/patches/series:
    - include git_invalid_autorun.patch which was mentioned in
      the previous upload but not added to the serie

gvfs (1.38.1-0ubuntu1) cosmic; urgency=medium

  * New upstream version (lp: #1803186)
   - smbbrowse: Force NT1 protocol version for workgroup support
     (lp: #1778322)
  * debian/patches/git_invalid_autorun.patch:
    - common: Prevent crashes on invalid autorun file (lp: #1798725)

 -- Sebastien Bacher <email address hidden> Wed, 21 Nov 2018 15:03:01 +0100

The verification of the Stable Release Update for gvfs has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package gvfs - 1.36.1-0ubuntu1.2

---------------
gvfs (1.36.1-0ubuntu1.2) bionic; urgency=medium

  * debian/patches/git_smb_writing.patch:
    - Use O_RDWR to fix fstat when writing (lp: #1803158)
  * debian/patches/git_invalid_autorun.patch:
    - common: Prevent crashes on invalid autorun file (lp: #1798725)
  * debian/patches/git_channel_lock.patch:
    - daemon: Prevent deadlock and invalid read when closing channels
      (lp: #1630905)
  * debian/patches/git_dav_lockups.patch:
    - workaround libsoup limitation to prevent dav lockups (lp: #1792878)
  * debian/patches/git_smb_nt1.patch:
    - smbbrowse: Force NT1 protocol version for workgroup support
      (lp: #1778322)
  * debian/patches/git_smb_directory.patch:
    - smb: Add workaround to fix removal of non-empty dir (lp: #1803190)

 -- Sebastien Bacher <email address hidden> Tue, 13 Nov 2018 17:09:03 +0100