command-not-found crash on inreasonably long input

Bug #1643167 reported by thiner
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Dominique Ramaekers

Bug Description

Bash itself won't crash on extraordinarily long input, but the little utilitarian tool will.
With the ulimit set in /etc/bash.bashrc, the crash info is graceful as seen below. However, it ended up crashing my computer out. (Actually it took my computer into the pitfall of swap, as I found out later. That means, it consumes too much MEMORY, not cpu time.)
The source code seems as if the spelling error candidates are O(n^2). (Although actually it is, at least.)

Possibly a denial of service attack on computer without good config on ulimit :)

~# `printf '=%.0s' {1..10000}`
Sorry, command-not-found has crashed! Please file a bug report at:
Please include the following information with the report:

command-not-found version: 0.3
Python version: 3.5.2 final 0
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial
Exception information:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/CommandNotFound/", line 24, in crash_guard
  File "/usr/lib/command-not-found", line 90, in main
    if not cnf.advise(args[0], options.ignore_installed) and not options.no_failure_msg:
  File "/usr/lib/python3/dist-packages/CommandNotFound/", line 267, in advise
  File "/usr/lib/python3/dist-packages/CommandNotFound/", line 143, in print_spelling_suggestion
    for w in similar_words(word):
  File "/usr/lib/python3/dist-packages/CommandNotFound/", line 102, in similar_words
    replaces = [a + c + b[1:] for a, b in s for c in alphabet if b]
  File "/usr/lib/python3/dist-packages/CommandNotFound/", line 102, in <listcomp>
    replaces = [a + c + b[1:] for a, b in s for c in alphabet if b]

Related branches

thiner (thiner)
description: updated
Revision history for this message
Dominique Ramaekers (dominique-ramaekers) wrote :

I've tested the command in a lxd-container through ssh. My crash is different but it's clear c-n-f consumes 100% of the physical memory.

I'm looking in to this...

Changed in command-not-found:
status: New → Confirmed
assignee: nobody → Dadio (dominique-ramaekers)
Changed in command-not-found:
status: Confirmed → In Progress
Changed in command-not-found:
importance: Undecided → High
status: In Progress → Fix Committed
Changed in command-not-found:
status: Fix Committed → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers