gvfsd-dav: null pointer dereference if server response is not escaped
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gvfs (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
My colleague Gustavo Nunes Pereira has found that gvfsd-dav was crashing with a SEGFAULT on some of our WebDAV mounts. I'm not sure if this is exploitable, but it is caused by a null pointer dereference when listing remote files in a directory if the server returns a non-escaped filename.
A backtrace follows:
(gdb) bt
#0 strlen () at ../sysdeps/
#1 0x000000000040ab4c in path_equal (
a=a@
b=<optimized out>, relax=1) at gvfsbackenddav.
#2 0x000000000040b9f9 in path_equal (relax=1, b=<optimized out>,
a=0x7fffd80
at gvfsbackenddav.
#3 multistatus_
#4 0x000000000040c8ee in do_enumerate (backend=<optimized out>, job=0x63f190, filename=<optimized out>, matcher=<optimized out>, flags=<optimized out>)
at gvfsbackenddav.
#5 0x00007ffff7bc4dea in g_vfs_job_run (job=0x63f190) at gvfsjob.c:197
#6 0x00007ffff64d488c in ?? () from /lib/x86_
#7 0x00007ffff64d3f05 in ?? () from /lib/x86_
#8 0x00007ffff6250182 in start_thread (arg=0x7fffe3df
#9 0x00007ffff5f7d47d in clone () at ../sysdeps/
This bug cannot be reproduced using the master branch from the gvfs repository. It was already fixed by upstream commit https:/
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: gvfs 1.20.3-0ubuntu1.2
ProcVersionSign
Uname: Linux 3.13.0-65-generic x86_64
NonfreeKernelMo
ApportVersion: 2.14.1-0ubuntu3.15
Architecture: amd64
Date: Mon Oct 5 10:44:59 2015
InstallationDate: Installed on 2014-07-10 (451 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: gvfs
UpgradeStatus: No upgrade log present (probably fresh install)
See also https:/ /bugzilla. gnome.org/ show_bug. cgi?id= 743298