Use-after-free in OptionSet
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libgetopt++ (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
libgetopt++1:
Installed: 0.0.2-p22-3ubuntu1
There is a use-after-free bug in OptionSet:
optionValue = value.c_str();
In both cases, value's lifetime will end at the end of the block for that case, causing optionValue to contain a dangling pointer to the now potentially free'd buffer that value managed. It is later passed to theOption->Process at the end of the function, which in turn may use it to initialize an std::string.
Luckily, I do not see any obvious ways to exploit this bug. There does not appear to be any way for an attacker to control heap allocations between when the buffer is free'd, and when it will potentially be copied in StringOption:
Even if an attacker could overwrite the free'd buffer with arbitrary data, given that it is only used to initialize another std::string, I suspect that the worst they could do would be to cause a segmentation fault.
There might be the potential for a memory disclosure if the program reflects the option's value somehow, but given the likely use case of this library, that danger seems low as well.
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. I suggest coordinating with upstream for this issue. See the following link for more information on preparing an update for Ubuntu: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res
That said, I don't see this as a likely security vulnerability, as there would need to be some difference in privilege between the program and the invocation of the program that is linked with libgetopt++, i.e. either linked into a setuid/setgid program or a program invoked via external input (e.g. a webapp). In Ubuntu, the only user of libgetopt++ is config-manager (upstream https:/ /launchpad. net/config- manager).