Ubuntu
libgetopt++ package

Use-after-free in OptionSet

Bug #1448541 reported by Reagan Sanders
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libgetopt++ (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

libgetopt++1:
  Installed: 0.0.2-p22-3ubuntu1

There is a use-after-free bug in OptionSet::doOption. For the Option::Optional and Option::Required switch cases, the following assignment is made:

optionValue = value.c_str();

In both cases, value's lifetime will end at the end of the block for that case, causing optionValue to contain a dangling pointer to the now potentially free'd buffer that value managed. It is later passed to theOption->Process at the end of the function, which in turn may use it to initialize an std::string.

Luckily, I do not see any obvious ways to exploit this bug. There does not appear to be any way for an attacker to control heap allocations between when the buffer is free'd, and when it will potentially be copied in StringOption::Process.

Even if an attacker could overwrite the free'd buffer with arbitrary data, given that it is only used to initialize another std::string, I suspect that the worst they could do would be to cause a segmentation fault.

There might be the potential for a memory disclosure if the program reflects the option's value somehow, but given the likely use case of this library, that danger seems low as well.

See original description
Tags: patch
Revision history for this message
Reagan Sanders (vexo) wrote :
Reagan Sanders (vexo)
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. I suggest coordinating with upstream for this issue. See the following link for more information on preparing an update for Ubuntu: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

That said, I don't see this as a likely security vulnerability, as there would need to be some difference in privilege between the program and the invocation of the program that is linked with libgetopt++, i.e. either linked into a setuid/setgid program or a program invoked via external input (e.g. a webapp). In Ubuntu, the only user of libgetopt++ is config-manager (upstream https://launchpad.net/config-manager).

Changed in libgetopt++ (Ubuntu):
status: New → Confirmed
Reagan Sanders (vexo)
information type: Private Security → Public
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Unified diff for a potential fix" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.