Use after free in libgetdata v0.10.0 may lead to arbitrary code execution
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libgetdata (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Use after free in libgetdata v0.10.0 may lead to arbitrary code execution or privilege escalation when processing a maliciously crafted dirfile database. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library.
Details
When a RAW field specification is used with a duplicated field name in a FORMAT database fragment, the field name will be freed by _GD_ParseFieldS
Testing
Vulnerability can be tested by supplying a malcrafted database file to the libgetdata library. In Ubuntu Linux, the checkdirfile utility is also vulnerable, this utility is installed by default by the libgetdata-tools package. In Ubuntu linux, this is located at: /usr/bin/
To test the vulnerability, pass a directory path containing a malcrafted FORMAT dirfile database to checkdirfile, as follows:
checkdirfile /path/to/
Attached is a sample malformed database with a screenshot of the memory analysis.
NOTE: For better visibility of the stack, compile the library with ASAN sanitizer.
The author has been contacted, waiting for reply. But as there has not been any updates to the project in the past couple of years, a fix might take a while.
As stated in the homepage (http://
RELEASE: Ubuntu 20.04
apt-cache policy libgetdata-tools
libgetdata-tools:
Installed: 0.10.0-6build3
Candidate: 0.10.0-6build3
Version table:
*** 0.10.0-6build3 500
500 http://
100 /var/lib/
CVE References
Changed in libgetdata (Ubuntu): | |
status: | New → Confirmed |
UPDATE
This vulnerability has been triaged and has been assigned CVE ID: CVE-2021-20204.
Full impact currently under investigation by Red Hat team.