Integer overflow in bson_ensure_space (bson.c:613)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
whoopsie (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Dear Ubuntu Security Team,
I would like to report an integer overflow vulnerability in whoopsie. In combination with issue 1830858, this vulnerability may enable an local attacker to read arbitrary files on the system.
I have attached a proof-of-concept which triggers the vulnerability. I have tested it on an up-to-date Ubuntu 18.04. Run it as follows:
bunzip2 PoC.tar.bz2
tar -xf PoC.tar
cd PoC
make
./killwhoopsie2
The PoC works by creating a file named `/var/crash/
This is the source location of the integer overflow bug:
http://
The problem is that the types of pos, bytesNeeded, and b->dataSize are all int. My PoC triggers an integer overflow in the calculation of pos + bytesNeeded, which causes bson_ensure_space to return immediately on line 614 without allocating more space. This leads subsequently to a heap buffer overflow on line 738:
http://
Please let me know when you have fixed the vulnerability, so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https:/
Thank you,
Kevin Backhouse
Semmle Security Research Team
CVE References
Changed in whoopsie (Ubuntu): | |
importance: | Undecided → High |
Changed in whoopsie (Ubuntu): | |
status: | New → Triaged |
Changed in whoopsie (Ubuntu): | |
assignee: | nobody → Canonical Security Team (canonical-security) |
Changed in whoopsie (Ubuntu): | |
assignee: | Canonical Security Team (canonical-security) → Ubuntu Security Team (ubuntu-security) |
information type: | Private Security → Public Security |
tags: | added: id-5d6412d0de485863a95da846 |
Whoopsie bundles a copy of the libbson code which happens to be in other packages as well - mongo-c-driver, php-mongodb, libbson-xs-perl, and duo-unix - so will have to investigate this further to see if it also affects those other packages.