CVE-2022-37290: Pasted zip archive/invalid file causes NPD

Bug #1998060 reported by Joshua Peisach
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
caja (Ubuntu)
New
Undecided
Unassigned
Focal
New
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Kinetic
Won't Fix
Undecided
Unassigned
Lunar
New
Undecided
Unassigned
nautilus (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned
Lunar
Fix Released
Undecided
Unassigned
nemo (Ubuntu)
Fix Committed
Undecided
Joshua Peisach
Focal
New
Undecided
Joshua Peisach
Jammy
New
Undecided
Joshua Peisach
Kinetic
Won't Fix
Undecided
Joshua Peisach
Lunar
Fix Committed
Undecided
Joshua Peisach

Bug Description

A bug for the triage/patching of CVE-2022-37290.

In get_basename() and g_file_get_basename(), when the file name cannot be parsed, NULL is returned; Nautilus does not check this and this results in a NPD and a crash.

The issue on GNOME GitLab explains this pretty well: https://gitlab.gnome.org/GNOME/nautilus/-/issues/2376

And the code in question is also in Nemo and Caja.

History of the code: The faulty code was introduced in Nautilus 2.20, before Nemo and Caja were forked; these file managers have the same issue and same code in the function.

The simplest POC I found was running this via DBus, which I'm not 100% sure if I've altered correctly for Nemo and Caja, but regardless for Nautilus this results in a crash.

```
Nov 27 20:38:32 Joshua-2210Test nautilus[5433]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
Nov 27 20:38:32 Joshua-2210Test kernel: [ 825.449866] pool-org.gnome.[5439]: segfault at 0 ip 00007f3058c6c570 sp 00007f3051dfa968 error 4 in libglib-2.0.so.0.7400.0[7f3058c03000+8f000]
Nov 27 20:38:32 Joshua-2210Test kernel: [ 825.449878] Code: 0f 85 bc fe ff ff e9 42 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 48 89 d1 48 85 f6 0f 89 b0 00 00 00 <0f> b6 07 84 c0 75 15 eb 27 0f 1f 80 00 00 00 00 0f b6 42 01 48 8d
```

Attached is the poc.py, made by Wu Chunming.

** Nemo **
Upstream, version 5.6.0:
(more advanced/verbose) upstream patch: https://github.com/linuxmint/nemo/commit/b9953e61f61724f46740ac77317720549cdf6005
possible further problems: https://github.com/linuxmint/nemo/commit/33c37a82e88a8e6b289b3b0d2010ce0caece4bdb

ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: nautilus 1:43.0-1ubuntu1
ProcVersionSignature: Ubuntu 5.19.0-23.24-generic 5.19.7
Uname: Linux 5.19.0-23-generic x86_64
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Sun Nov 27 20:41:20 2022
GsettingsChanges:

InstallationDate: Installed on 2022-09-18 (70 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220918)
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.UTF-8
 TERM=xterm-256color
 XDG_RUNTIME_DIR=<set>
 PATH=(custom, no user)
SourcePackage: nautilus
UpgradeStatus: No upgrade log present (probably fresh install)
usr_lib_nautilus:
 file-roller 43.0-1
 nautilus-extension-gnome-terminal 3.46.2-1ubuntu1

CVE References

Revision history for this message
Joshua Peisach (itzswirlz) wrote :
description: updated
Steve Beattie (sbeattie)
information type: Private Security → Public Security
Revision history for this message
Joshua Peisach (itzswirlz) wrote :

Part of Debian Cinnamon Team - assign latest release with fix to me

Changed in nemo (Ubuntu Lunar):
assignee: nobody → Joshua Peisach (itzswirlz)
Revision history for this message
Joshua Peisach (itzswirlz) wrote :

taking responsibility for SRU

Changed in nemo (Ubuntu Focal):
assignee: nobody → Joshua Peisach (itzswirlz)
Changed in nemo (Ubuntu Jammy):
assignee: nobody → Joshua Peisach (itzswirlz)
Changed in nemo (Ubuntu Kinetic):
assignee: nobody → Joshua Peisach (itzswirlz)
Revision history for this message
Joshua Peisach (itzswirlz) wrote :

Fix in version 5.6.1, sitting in proposed

Changed in nemo (Ubuntu Lunar):
status: New → Fix Committed
Revision history for this message
Joshua Peisach (itzswirlz) wrote :

Fix released for nautilus 1:43.0-1ubuntu2.1

nautilus (1:43.0-1ubuntu2.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: crash via invalid zip file
    - debian/patches/CVE-2022-37290.patch: fix crash when copying an
      invalid file in src/nautilus-dbus-manager.c,
      src/nautilus-file-operations.c.
    - CVE-2022-37290

 -- Marc Deslauriers <email address hidden> Tue, 03 Jan 2023 12:27:45 -0500

Changed in nautilus (Ubuntu Kinetic):
status: New → Fix Released
Changed in nautilus (Ubuntu Lunar):
status: New → Fix Released
Changed in nautilus (Ubuntu Jammy):
status: New → Fix Released
Changed in nautilus (Ubuntu Focal):
status: New → Fix Released
Revision history for this message
Joshua Peisach (itzswirlz) wrote :

Applied the patches, not getting any nasty messages in /var/log/syslog

Changed in nemo (Ubuntu Kinetic):
status: New → In Progress
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "nemo_5.4.3-2ubuntu0.1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff in comment #8. I have slightly adjusted it to add the bug number to the changelog and to fix the urls in the patch. I have uploaded it to the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa

Please test it to make sure it works properly, and comment back in this bug, at which point I will release it as a security update. Thanks!

Revision history for this message
Joshua Peisach (itzswirlz) wrote :

No reproduction on Lunar for Nemo. Syslog does not show any errors

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The update is for kinetic, did you test it on kinetic?

Revision history for this message
Joshua Peisach (itzswirlz) wrote (last edit ):

Yep! (Hostname says "2210Test". I meant to say Kinetic but it doesn't happen on Lunar. Want me to try backporting to other releases?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Oh, that would be great, I could release them all at once. Thanks!

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Is there anything that still needs to be done here? Are we waiting for backports to earlier series?

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

As I don't see anything actionable right now, and there's been no movement since my last ping, I'll remove the ubuntu-sponsors subscription. Please re-add that in case any additional sponsoring is needed.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Kinetic has now reached end-of-life. There is nothing else to sponsor in this bug for now.

I am unsubscribing ubuntu-security-sponsors. If a new debdiff is attached for sponsoring, please re-subscribe the team. Thanks!

Changed in nemo (Ubuntu Kinetic):
status: In Progress → Won't Fix
Changed in caja (Ubuntu Kinetic):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.