Ubuntu
gvfs package

gvfsd-dav: null pointer dereference if server response is not escaped

Bug #1502912 reported by Paulo Matias on 2015-10-05

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	gvfs (Ubuntu)	Fix Released	High	Unassigned

Bug Description

My colleague Gustavo Nunes Pereira has found that gvfsd-dav was crashing with a SEGFAULT on some of our WebDAV mounts. I'm not sure if this is exploitable, but it is caused by a null pointer dereference when listing remote files in a directory if the server returns a non-escaped filename.

A backtrace follows:

(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x000000000040ab4c in path_equal (
    a=a@entry=0x7fffd80cc150 "/alfresco/webdav/Sites/editaisproad/documentLibrary/Editais_PROAD/ARQUIVOS EDNA-EDLAINE/justificativa_25%.docx",
    b=<optimized out>, relax=1) at gvfsbackenddav.c:243
#2 0x000000000040b9f9 in path_equal (relax=1, b=<optimized out>,
    a=0x7fffd80cc150 "/alfresco/webdav/Sites/editaisproad/documentLibrary/Editais_PROAD/ARQUIVOS EDNA-EDLAINE/justificativa_25%.docx")
    at gvfsbackenddav.c:237
#3 multistatus_get_response (resp_iter=resp_iter@entry=0x7fffe3dfbd50, response=response@entry=0x7fffe3dfbd30) at gvfsbackenddav.c:856
#4 0x000000000040c8ee in do_enumerate (backend=<optimized out>, job=0x63f190, filename=<optimized out>, matcher=<optimized out>, flags=<optimized out>)
    at gvfsbackenddav.c:2211
#5 0x00007ffff7bc4dea in g_vfs_job_run (job=0x63f190) at gvfsjob.c:197
#6 0x00007ffff64d488c in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7 0x00007ffff64d3f05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#8 0x00007ffff6250182 in start_thread (arg=0x7fffe3dfc700) at pthread_create.c:312
#9 0x00007ffff5f7d47d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

This bug cannot be reproduced using the master branch from the gvfs repository. It was already fixed by upstream commit https://git.gnome.org/browse/gvfs/patch/?id=f81ff2108ab3b6e370f20dcadd8708d23f499184 which can be applied cleanly against Ubuntu's gvfs 1.20.3.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: gvfs 1.20.3-0ubuntu1.2
ProcVersionSignature: Ubuntu 3.13.0-65.105-generic 3.13.11-ckt26
Uname: Linux 3.13.0-65-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.14.1-0ubuntu3.15
Architecture: amd64
Date: Mon Oct 5 10:44:59 2015
InstallationDate: Installed on 2014-07-10 (451 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: gvfs
UpgradeStatus: No upgrade log present (probably fresh install)

Tags:

Revision history for this message

Paulo Matias (paulo-matias) wrote on 2015-10-05:

Dependencies.txt Edit (7.4 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (109 bytes, text/plain; charset="utf-8")

Upstream patch Edit (2.3 KiB, text/plain)

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2015-10-05:

See also https://bugzilla.gnome.org/show_bug.cgi?id=743298

information type:

Private Security → Public Security

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2015-10-06:

The attachment "Upstream patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Sebastien Bacher (seb128) wrote on 2015-10-06:

Thanks, the bug is fixed in the current version but indeed that should probably be a fix to backport to trusty