Integer overflow in parse_report (whoopsie.c:425)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Whoopsie |
New
|
Undecided
|
Unassigned | ||
whoopsie (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Dear Ubuntu Security Team,
I would like to report an integer overflow vulnerability in whoopsie. In combination with issue 1830858, this vulnerability may enable an local attacker to read arbitrary files on the system.
I have attached a proof-of-concept which triggers the vulnerability. I have tested it on an up-to-date Ubuntu 18.04. Run it as follows:
bunzip2 PoC.tar.bz2
tar -xf PoC.tar
cd PoC
make
./killwhoopsie1
The PoC works by creating a file named `/var/crash/
This is the source location of the integer overflow bug:
http://
The problem is that the type of value_pos is int, but the size of the file can be larger than INT_MAX. My PoC arranges things such that value_pos == -16, leading to an out-of-bounds write on line 440.
Please let me know when you have fixed the vulnerability, so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https:/
Thank you,
Kevin Backhouse
Semmle Security Research Team
Related branches
- Iain Lane (community): Needs Information
-
Diff: 26 lines (+3/-3)2 files modifiedsrc/utils.c (+1/-1)
src/whoopsie.c (+2/-2)
CVE References
information type: | Private Security → Public Security |
I have assigned CVE-2019-11476 for this issue in whoopsie. Kevin, how should we attribute this? 'Kevin Backhouse' / 'Kevin Backhouse from Semmle Security Research Team' / 'Semmle Security Research Team' or something else?