misc.last can crash the computer where the bot is running

Bug #996947 reported by Mikaela Suomalainen on 2012-05-09
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu IRC Bots
High
niko
supybot (Debian)
New
Unknown
supybot (Ubuntu)
Undecided
Unassigned

Bug Description

With specific regular expressions in misc.last commnad, Supybot starts taking all resources, which in can get.

Example of crashing command:
!misc last --regexp m/(.*\w){512}/

This bug has been fixed in forks, Gribble and Limnoria.
http://sourceforge.net/apps/mediawiki/gribble/ https://github.com/ProgVal/Limnoria/

Supybot upstream is dead.

Mikaela Suomalainen (mikaela) wrote :

I marked this bug to affect Ubuntu-bots, because some Ubots and Meetingology have been made to crash with this bug.

affects: supybot (Ubuntu) → ubuntu-bots
Mikaela Suomalainen (mikaela) wrote :

Oops, it seems that bug cannot affect more than package or project at the same time.

affects: ubuntu-bots → supybot (Ubuntu)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in supybot (Ubuntu):
status: New → Confirmed
security vulnerability: no → yes
m4v (m4v) wrote :

ubottu and its clones don't have @last available to normal users, kubot has it disabled, I don't know other bots. I'll ping AlanBell about Meetingology.

As a workaround if you have a supybot and has @last available, disable it with "@disable last"

tags: added: meetingology

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

09.05.2012 16:07, m4v kirjoitti:
> ubottu and its clones don't have @last available to normal users,
> kubot has it disabled, I don't know other bots. I'll ping AlanBell
> about Meetingology.
>
> As a workaround if you have a supybot and has @last available,
> disable it with "@disable last"
>
> ** Also affects: ubuntu-bots Importance: Undecided Status: New
>
> ** Tags added: meetingology
>

I would recommend "defaultcapability remove misc.last" instead. It
prevents users from using misc.last by default.

That your command disables "last" command in all plugins, including
Misc, Utilities and Seen.

By the way, there is another issue like this, but it doesn't probably
affect Ubottu clones, because they don't usually have Math loaded as
far as I can see.
https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996950

- --
[Mika Suomalainen](https://mkaysi.github.com/) ||
[gpg --keyserver pool.sks-keyservers.net --recv-keys
4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) ||
[Why do I sign my
emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) ||
[Please don't send
HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) ||
[Please don't
toppost](http://mkaysi.github.com/articles/complaining/topposting.html) ||

[This signature](https://gist.github.com/2643070) ||
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPqm8aAAoJEE21PP6CpGco1IkP/2l6AzxIf/pFjLu/Wisj4i79
sRg6JiJarMCRFW+aI0OKmabQaKdQMup/c8NpCKy2kSdVr5YRiF68u2WBMYbIoxd7
ZuIJuS6aYmZQnwSqpTta84gydiX8l0RY8M5iVrIBx1wAALDJJQRlLY8euj5vw+3h
3a6vk+ydMC7kD9OPOkKYrw5xVKKh8g98g6O8JtIABSZB0BLqOlVAplWd6GySaIkw
C2YwiFWzHJKvBDQ+CMfAV8nJXimvEBm1JPBEy8Vf1tV4vOlVE1ZcyTuDopdQ3W19
YJni8AnOaH+Ns3RHF/2EvBZBIpnfDITswTZDrk/ZYIzIIJbJTu9Q56Vgwexi3N4e
C/D9+LXczW5kTrqznPl8a7lQ/QQhcnxCCZYOERU9s8FfZDMGsydopOrnaRLG+vv1
BuNay8WjsS1mdbs2bE7qnRDSI+iUbCuSpW7KFfSxp5KIaH78zlUqWa2ldXgsAX33
Z8N+wBrP0/jVbZuSHsVBpP3D8jHdc6G4mMFpm6d1zQZ6pbPiGL3eAadzaHWG4WHK
knoWQ9LBCaiDJVZbEcdVdHGfoU7o0/tnFlPNi65amT3nVMXiqjj4jKovLtCMRPN0
kXWAwFzCnYE7xe0FSR8xlBBEVGuRNO9BO2/rPv286+ptQkgdgegIIOKWahIG76ek
xWnIDiWLQwCKQiMdS0PY
=b7aT
-----END PGP SIGNATURE-----

m4v (m4v) wrote :

I checked that Meetingology doesn't have last enabled, and its logs doesn't show anything like it was crashed recently. If you know any ubuntu bot that have @last or @calc enabled let us know.

tags: removed: meetingology
Mikaela Suomalainen (mikaela) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

09.05.2012 16:25, m4v kirjoitti:
> I checked that Meetingology doesn't have last enabled, and its
> logs doesn't show anything like it was crashed recently. If you
> know any ubuntu bot that have @last or @calc enabled let us know.
>
> ** Tags removed: meetingology
>

AlanBell disabled it just a moment after your previous email, 13:20 UTC.

I will if I see them.

- --
[Mika Suomalainen](https://mkaysi.github.com/) ||
[gpg --keyserver pool.sks-keyservers.net --recv-keys
4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) ||
[Why do I sign my
emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) ||
[Please don't send
HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) ||
[Please don't
toppost](http://mkaysi.github.com/articles/complaining/topposting.html) ||

[This signature](https://gist.github.com/2643070) ||
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPqnPnAAoJEE21PP6CpGcokSMP/RPG8OocCbg5zoUMrgSt+dXj
NnP+5enf7V4JM6jR8vZydIQtHmDm1bjeVSTm49E2+czqmr3BeEpuzuw3WsaIlVkC
UNtDHzdI0QfRtX7xiXMu4QbQHrs1sFNvHiSNKJM2YuhImn/o3i3ZWHCzVMshR1M9
Is80tgMlqRUVUpCbPsiQfGMStRrqDZccSSUC8wkpNmqHYioH7wg2aXhGoniEmxA9
wFEUQJzTaivG/Zvyn76NaCx2ADGs1A7bRk6CaXdnxr5Y5f7vSOKbn6vsSs8yGdKS
Z6AcOolzBx4/LyPSA8jQon9ZVcymeuyS444Bgav7lPpcxueOCsxQBO1Cf7kbYcvH
tE7/YAD9l5tK9vIEol59PCe+emHQHHS5dNTqGAq1Qb0h4zUHa6LhqALOP7LTXoMY
6P6+wZcXNzIHskg48ykvqdcnmwDDe+1ak6sH+N2YqyNmqcY1DK7KhV3NSo4utAb7
8eqLlv89y95zT/81H2NlF7N19dcCXAgVJLyz5ZjXIdfEc95SzfEFDDf6XjcFUMV0
EbZlKOxrCa1Kg61dTgF85WBmC2YDgawy0cbvbBYU7pDj8saqIS3qXKcqTrBfTcw/
sNNb0XHLPz/mTym/m1YkpFBOT1uLpPYs9MyepFjtBqJxr6QwReVT+/1YdsiMO7vZ
65reSM8lswxWo4IVgdUm
=fRBm
-----END PGP SIGNATURE-----

m4v (m4v) wrote :

Marking it as invalid for us as we really can't fix this bug, and our bots already had the workarounds enabled.

Changed in ubuntu-bots:
status: New → Invalid
Mikaela Suomalainen (mikaela) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

09.05.2012 16:47, m4v kirjoitti:
> Marking it as invalid for us as we really can't fix this bug, and
> our bots already had the workarounds enabled.
>
> ** Changed in: ubuntu-bots Status: New => Invalid
>

I just tested this with ubotufr, which appears to be part of
Ubuntu-bots and this issue also affects it.
So this probably shouldn't be invalid to ubuntu-bots.

- --
[Mika Suomalainen](https://mkaysi.github.com/) ||
[gpg --keyserver pool.sks-keyservers.net --recv-keys
4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) ||
[Why do I sign my
emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) ||
[Please don't send
HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) ||
[Please don't
toppost](http://mkaysi.github.com/articles/complaining/topposting.html) ||

[This signature](https://gist.github.com/2643070) ||
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPqnwZAAoJEE21PP6CpGcoKMIP/3mtlG68kJu9BtNMmx5d6n/V
quryGSHXVGlK8ZzC25AZyaDgpdjZ5ealjiMkpomWCeVuY7t4vuWdXWTtJh3aeeQK
rY7f37uZVSyZxz3AB3sHyAxr8ziJ0gXdfkOqipvyZs27JkTGv5VtnKE+X7xoL0I7
gAFyvWFyJuCaRasr+rEipxdzs76NE4bvU8qECPLozq8PlgpbglTAhp4/Ovb/2osK
i//brgaez9MOAHE0cBL+s1qz3IKAA45J2C+4nWLVspdiqtZlC5GhBSRyZ35p3mVW
Qs2dd2E5iyGIJPJNJB77OqpE18kAeUNm2172Sk3EacSqYuSiIh5yX2Ik0RuzoQpN
OtIykiavWtcAePiv5nTLx939PSg+9W/q5j1f/4yjbIC/BD4yjyRm+2AsO/vciWO3
7Zrz9ncsV3nDk6li9cRSQfS81/IvuHJ9NExIbRcghiHNUNTaRAffstRTW4EQmq+P
TV9s281tUETFwdnNogKIDnYffnSTCdePzMLN69X79iwQ7WDjTuU7ElUGIk+bNJwm
HQpISjlfQW6Kuiii6Ydkj8eWK9MKeUqoBj7UYuFcfEm6lnX2D0ouGptkyqv3p1ud
EiRD2IADq+W7wxFuKdGoZmFvUC5/azFmBUhXkl/6+klRypEk8fc6K5kJrM9FdDN8
2es4w8U9F5uyCk+RxRt5
=Antr
-----END PGP SIGNATURE-----

m4v (m4v) wrote :

ubotu-fr is a fork of supybot, but i'll put the owner on notice.

Mikaela Suomalainen (mikaela) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

09.05.2012 17:37, m4v kirjoitti:
> ubotu-fr is a fork of supybot, but i'll put the owner on notice.
>

It's located at
https://code.launchpad.net/~ubuntu-fr/ubuntu-bots/ubotufr and bugs
link goes to https://bugs.launchpad.net/ubuntu-bots , so shouldn't
this affect ubuntu-bots some other way than invalid?

- --
[Mika Suomalainen](https://mkaysi.github.com/) ||
[gpg --keyserver pool.sks-keyservers.net --recv-keys
4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) ||
[Why do I sign my
emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) ||
[Please don't send
HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) ||
[Please don't
toppost](http://mkaysi.github.com/articles/complaining/topposting.html) ||

[This signature](https://gist.github.com/2643070) ||
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPqoZ4AAoJEE21PP6CpGcoP6gQAIWOJcq8TmERDms9fsCX/2mk
IQsDNTOL5nrMur0LQIbqiPI5fvYY+o++NCTVwr8LEtjMtU+rbwA5QcOf7WJXcdUo
N+Y8BEOJF98OJEh9Deno2vEJvXJ5YjtLtRhTqP4VlNBXnBCALGzZqnhJPJssuFSa
ZfxeYbhUikNpM7nvurCqGlIs+Jvh6OkaNUMXGmbm29Yi88Lwht0MrUgIX3lb6f3m
qsa6lwhHdESjdo78S7oR8bZh9dNU7wr5sFAwWOF/baIac+BO1a7mJp1S4E16F5yz
QKJnQu8XcwqfzJ9b7dERzFpQahlFigIQ+iSFj8vJJjk27WwQvRYEB7PuwypVSWy/
d0RAYWWRAqyEk3Z8YzYdpisbQ8eepczzhbVh//QhNiKFT87V0t90mkBUcHL+BcDk
jmMtJh7tZaZXh+utCxPEZ4CVXv+2Tgz979cRKvXaXJP0FqD8qgjZ5+J2kvZTQx9X
mu4t5ndYaGoQ3CR71KZTg12fBi1fdvwvs+6NlFTMhY5JQztrTu403Nogt8I+GwL3
2SRpP5ax4gn0MG4L+/7lrJub9st7gDdjKOCxiCqmdP0oLAfFUSvuqffDdh78aguw
TYgS37cA69YHJLURqPPZB7PF76OutKZOtMW6ss/AscxI+mfMEETlRZpQJdhGBUjz
nyDWNt0mgElCkZuEnMe1
=1yvD
-----END PGP SIGNATURE-----

m4v (m4v) wrote :

The instance of ubotu-fr isn't affected, so for now, no.

Can you please not use a signature when replying to launchpad? I don't know if you can see it but is too long and difficulties reading.

Changed in supybot (Debian):
status: Unknown → New
Mikaela Suomalainen (mikaela) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

09.05.2012 19:21, m4v kirjoitti:
> The instance of ubotu-fr isn't affected, so for now, no.

But the program in bazaar branch called "ubotu-fr" is affected. I
don't understand why ubuntu-bots can't be affected by things inside
it. If you don't want ubuntu-bots to be affected by issue which it's
affected by, why you don't move ubotu-fr out of ubuntu-bots and mark
that new project as affected?

- --
[Mika Suomalainen](https://mkaysi.github.com/) ||
[gpg --keyserver pool.sks-keyservers.net --recv-keys
4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) ||
[Why do I sign my
emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) ||
[Please don't send
HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) ||
[Please don't
toppost](http://mkaysi.github.com/articles/complaining/topposting.html) ||

[This signature](https://gist.github.com/2643070) ||
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPqqFGAAoJEE21PP6CpGcojW8QAJs0mTRmYuNKySlg6BX8M7xB
Wv+HZDlB295/gNK6wiQ9ec/9GaAga/UteBS4cZGyQ1dJQo/d2bSEnYQm01/H6qIB
CBUlvhopZt6Lwochhk2VTy9aSY5V0jdaIh3YAIypK6vegxgIUZg9SdAtIkPpEOhS
P/jxEL4n13JxTCmuN2mqDrhO1gI+lfIwpH3YsVnkYyIEMqhZKZNOk15j1fMIc1Cv
Oruky8AmJUr65iMFMh135jiVpQWCBipMeUuk23VcCzpsHhYZfNcCi498dxMF+ZKB
h7+oJlsIMdqc5tf7+2mo6br1cp4mKyOGeLhz+xq8OC3BIUNX0bmV4+DqxQDAbD8J
wxZcTzmrX8fp1bsNflvAKShjhbuMYe/9H/uD3826Ol5X5HZOnEdhwhkTKgsh3R3m
eG3owoYhPa8pCqk2Os/eyXQGYEsNtjbamjEFvsvKKPDsDgjYK84DfPJx7HZ7m2iu
7TQPtOxapdNkOWJVP+iNttPGRB5bHCxm0awN9r9RGmBR6kAQrOxNVnVHKa7F/89G
7Uwx8ehUvPDO+eHIbbGdQuIIj/d7kuygG+n64T1xF8zvdiUL/hdoVITDu/ZhBPgd
j0SbSMeSHqnljCW4TlK/ajesScTgXcCyJQp2cSbeffAXDE5uUNjuw9JgS0UUWgCi
Otihz+qrdID2v6kOQRhA
=9slA
-----END PGP SIGNATURE-----

niko (nicolascoevoet) on 2012-05-09
Changed in ubuntu-bots:
assignee: nobody → niko (nicolascoevoet)
importance: Undecided → High
status: Invalid → Fix Committed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.