Yes, 9th July sounds good. I think it makes sense to disclose this issue on
the same day as issue 1830858.
Thanks,
Kev
On Thu, Jun 13, 2019 at 1:41 PM Alex Murray <email address hidden>
wrote:
> Kevin, do you have a preferred disclosure date / time for this? I notice
> your policy says 90 days after initial report or 30 days after patch
> availability - I will be working on a patch for this issue and hope to
> have something together in the next week or so - and so would prefer a
> CRD in about 3-4 weeks time. How would 9th July suit you?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1830863
>
> Title:
> Integer overflow in parse_report (whoopsie.c:425)
>
> Status in whoopsie package in Ubuntu:
> New
>
> Bug description:
> Dear Ubuntu Security Team,
>
> I would like to report an integer overflow vulnerability in whoopsie.
> In combination with issue 1830858, this vulnerability may enable an
> local attacker to read arbitrary files on the system.
>
> I have attached a proof-of-concept which triggers the vulnerability. I
> have tested it on an up-to-date Ubuntu 18.04. Run it as follows:
>
> bunzip2 PoC.tar.bz2
> tar -xf PoC.tar
> cd PoC
> make
> ./killwhoopsie1
>
> The PoC works by creating a file named
> `/var/crash/killwhoopsie.crash`, just over 4GB in size. It then
> creates a file named `/var/crash/killwhoopsie.upload`, which prompts
> whoopsie to start processing the .crash file. Be aware that whoopsie
> will keep restarting and crash repeatedly until you remove the files
> from /var/crash.
>
> This is the source location of the integer overflow bug:
>
> http://bazaar.launchpad.net/~daisy-
> pluckers/whoopsie/trunk/view/698/src/whoopsie.c#L425
>
> The problem is that the type of value_pos is int, but the size of the
> file can be larger than INT_MAX. My PoC arranges things such that
> value_pos == -16, leading to an out-of-bounds write on line 440.
>
> Please let me know when you have fixed the vulnerability, so that I
> can coordinate my disclosure with yours. For reference, here is a link
> to Semmle's vulnerability disclosure policy:
> https://lgtm.com/security#disclosure_policy
>
> Thank you,
>
> Kevin Backhouse
>
> Semmle Security Research Team
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830863/+subscriptions
>
Hi Alex,
Yes, 9th July sounds good. I think it makes sense to disclose this issue on
the same day as issue 1830858.
Thanks,
Kev
On Thu, Jun 13, 2019 at 1:41 PM Alex Murray <email address hidden>
wrote:
> Kevin, do you have a preferred disclosure date / time for this? I notice /bugs.launchpad .net/bugs/ 1830863 killwhoopsie. crash`, just over 4GB in size. It then killwhoopsie. upload` , which prompts bazaar. launchpad. net/~daisy- whoopsie/ trunk/view/ 698/src/ whoopsie. c#L425 /lgtm.com/ security# disclosure_ policy /bugs.launchpad .net/ubuntu/ +source/ whoopsie/ +bug/1830863/ +subscriptions
> your policy says 90 days after initial report or 30 days after patch
> availability - I will be working on a patch for this issue and hope to
> have something together in the next week or so - and so would prefer a
> CRD in about 3-4 weeks time. How would 9th July suit you?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Integer overflow in parse_report (whoopsie.c:425)
>
> Status in whoopsie package in Ubuntu:
> New
>
> Bug description:
> Dear Ubuntu Security Team,
>
> I would like to report an integer overflow vulnerability in whoopsie.
> In combination with issue 1830858, this vulnerability may enable an
> local attacker to read arbitrary files on the system.
>
> I have attached a proof-of-concept which triggers the vulnerability. I
> have tested it on an up-to-date Ubuntu 18.04. Run it as follows:
>
> bunzip2 PoC.tar.bz2
> tar -xf PoC.tar
> cd PoC
> make
> ./killwhoopsie1
>
> The PoC works by creating a file named
> `/var/crash/
> creates a file named `/var/crash/
> whoopsie to start processing the .crash file. Be aware that whoopsie
> will keep restarting and crash repeatedly until you remove the files
> from /var/crash.
>
> This is the source location of the integer overflow bug:
>
> http://
> pluckers/
>
> The problem is that the type of value_pos is int, but the size of the
> file can be larger than INT_MAX. My PoC arranges things such that
> value_pos == -16, leading to an out-of-bounds write on line 440.
>
> Please let me know when you have fixed the vulnerability, so that I
> can coordinate my disclosure with yours. For reference, here is a link
> to Semmle's vulnerability disclosure policy:
> https:/
>
> Thank you,
>
> Kevin Backhouse
>
> Semmle Security Research Team
>
> To manage notifications about this bug go to:
>
> https:/
>