Integer overflow in parse_report (whoopsie.c:425)

Bug #1830863 reported by kev
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Whoopsie
New
Undecided
Unassigned
whoopsie (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Dear Ubuntu Security Team,

I would like to report an integer overflow vulnerability in whoopsie. In combination with issue 1830858, this vulnerability may enable an local attacker to read arbitrary files on the system.

I have attached a proof-of-concept which triggers the vulnerability. I have tested it on an up-to-date Ubuntu 18.04. Run it as follows:

bunzip2 PoC.tar.bz2
tar -xf PoC.tar
cd PoC
make
./killwhoopsie1

The PoC works by creating a file named `/var/crash/killwhoopsie.crash`, just over 4GB in size. It then creates a file named `/var/crash/killwhoopsie.upload`, which prompts whoopsie to start processing the .crash file. Be aware that whoopsie will keep restarting and crash repeatedly until you remove the files from /var/crash.

This is the source location of the integer overflow bug:

http://bazaar.launchpad.net/~daisy-pluckers/whoopsie/trunk/view/698/src/whoopsie.c#L425

The problem is that the type of value_pos is int, but the size of the file can be larger than INT_MAX. My PoC arranges things such that value_pos == -16, leading to an out-of-bounds write on line 440.

Please let me know when you have fixed the vulnerability, so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy

Thank you,

Kevin Backhouse

Semmle Security Research Team

Related branches

CVE References

Revision history for this message
Alex Murray (alexmurray) wrote :

I have assigned CVE-2019-11476 for this issue in whoopsie. Kevin, how should we attribute this? 'Kevin Backhouse' / 'Kevin Backhouse from Semmle Security Research Team' / 'Semmle Security Research Team' or something else?

Revision history for this message
Alex Murray (alexmurray) wrote :

Kevin, do you have a preferred disclosure date / time for this? I notice your policy says 90 days after initial report or 30 days after patch availability - I will be working on a patch for this issue and hope to have something together in the next week or so - and so would prefer a CRD in about 3-4 weeks time. How would 9th July suit you?

Revision history for this message
kev (kbackhouse2000) wrote : Re: [Bug 1830863] Re: Integer overflow in parse_report (whoopsie.c:425)

Hi Alex,

Yes, 9th July sounds good. I think it makes sense to disclose this issue on
the same day as issue 1830858.

Thanks,

Kev

On Thu, Jun 13, 2019 at 1:41 PM Alex Murray <email address hidden>
wrote:

> Kevin, do you have a preferred disclosure date / time for this? I notice
> your policy says 90 days after initial report or 30 days after patch
> availability - I will be working on a patch for this issue and hope to
> have something together in the next week or so - and so would prefer a
> CRD in about 3-4 weeks time. How would 9th July suit you?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1830863
>
> Title:
> Integer overflow in parse_report (whoopsie.c:425)
>
> Status in whoopsie package in Ubuntu:
> New
>
> Bug description:
> Dear Ubuntu Security Team,
>
> I would like to report an integer overflow vulnerability in whoopsie.
> In combination with issue 1830858, this vulnerability may enable an
> local attacker to read arbitrary files on the system.
>
> I have attached a proof-of-concept which triggers the vulnerability. I
> have tested it on an up-to-date Ubuntu 18.04. Run it as follows:
>
> bunzip2 PoC.tar.bz2
> tar -xf PoC.tar
> cd PoC
> make
> ./killwhoopsie1
>
> The PoC works by creating a file named
> `/var/crash/killwhoopsie.crash`, just over 4GB in size. It then
> creates a file named `/var/crash/killwhoopsie.upload`, which prompts
> whoopsie to start processing the .crash file. Be aware that whoopsie
> will keep restarting and crash repeatedly until you remove the files
> from /var/crash.
>
> This is the source location of the integer overflow bug:
>
> http://bazaar.launchpad.net/~daisy-
> pluckers/whoopsie/trunk/view/698/src/whoopsie.c#L425
>
> The problem is that the type of value_pos is int, but the size of the
> file can be larger than INT_MAX. My PoC arranges things such that
> value_pos == -16, leading to an out-of-bounds write on line 440.
>
> Please let me know when you have fixed the vulnerability, so that I
> can coordinate my disclosure with yours. For reference, here is a link
> to Semmle's vulnerability disclosure policy:
> https://lgtm.com/security#disclosure_policy
>
> Thank you,
>
> Kevin Backhouse
>
> Semmle Security Research Team
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830863/+subscriptions
>

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.52.5ubuntu0.1

---------------
whoopsie (0.2.52.5ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Integer overflow when handling large crash dumps (LP:
    #1830863)
    - src/whoopsie.c: Don't use signed integer types for lengths to ensure
      large crash dumps do not cause signed integer overflow
    - CVE-2019-11476

 -- Alex Murray <email address hidden> Fri, 5 Jul 2019 14:15:25 +0930

Changed in whoopsie (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.62ubuntu1

---------------
whoopsie (0.2.62ubuntu1) cosmic-security; urgency=medium

  * SECURITY UPDATE: Integer overflow when handling large crash dumps (LP:
    #1830863)
    - src/whoopsie.c: Don't use signed integer types for lengths to ensure
      large crash dumps do not cause signed integer overflow
    - CVE-2019-11476

 -- Alex Murray <email address hidden> Fri, 5 Jul 2019 14:15:25 +0930

Changed in whoopsie (Ubuntu):
status: New → Fix Released
Alex Murray (alexmurray)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.