Ubuntu
nautilus package

  1. Bug #1998060
  2. Activity log

Activity log for bug #1998060

Date Who What changed Old value New value Message
2022-11-28 01:50:05 Joshua Peisach bug added bug
2022-11-28 01:50:05 Joshua Peisach attachment added POC python script https://bugs.launchpad.net/bugs/1998060/+attachment/5632920/+files/poc.py
2022-11-28 01:50:13 Joshua Peisach cve linked 2022-37290
2022-11-28 01:51:17 Joshua Peisach bug task added nemo (Ubuntu)
2022-11-28 01:51:42 Joshua Peisach bug task added caja (Ubuntu)
2022-11-28 01:53:04 Joshua Peisach description A bug for the triage/patching of CVE-2022-37290. In get_basename() and g_file_get_basename(), when the file name cannot be parsed, NULL is returned; Nautilus does not check this and this results in a NPD and a crash. The issue on GNOME GitLab explains this pretty well: https://gitlab.gnome.org/GNOME/nautilus/-/issues/2376 And the code in question is also in Nemo and Caja. History of the code: The faulty code was introduced in Nautilus 2.20, before Nemo and Caja were forked; these file managers have the same issue and same code in the function. The simplest POC I found was running this via DBus, which I'm not 100% sure if I've altered correctly for Nemo and Caja, but regardless for Nautilus this results in a crash. ``` Nov 27 20:38:32 Joshua-2210Test nautilus[5433]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed Nov 27 20:38:32 Joshua-2210Test kernel: [ 825.449866] pool-org.gnome.[5439]: segfault at 0 ip 00007f3058c6c570 sp 00007f3051dfa968 error 4 in libglib-2.0.so.0.7400.0[7f3058c03000+8f000] Nov 27 20:38:32 Joshua-2210Test kernel: [ 825.449878] Code: 0f 85 bc fe ff ff e9 42 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 48 89 d1 48 85 f6 0f 89 b0 00 00 00 <0f> b6 07 84 c0 75 15 eb 27 0f 1f 80 00 00 00 00 0f b6 42 01 48 8d ``` Attached is the poc.py, made by Wu Chunming. ProblemType: Bug DistroRelease: Ubuntu 22.10 Package: nautilus 1:43.0-1ubuntu1 ProcVersionSignature: Ubuntu 5.19.0-23.24-generic 5.19.7 Uname: Linux 5.19.0-23-generic x86_64 ApportVersion: 2.23.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sun Nov 27 20:41:20 2022 GsettingsChanges: InstallationDate: Installed on 2022-09-18 (70 days ago) InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220918) ProcEnviron: SHELL=/bin/bash LANG=en_US.UTF-8 TERM=xterm-256color XDG_RUNTIME_DIR=<set> PATH=(custom, no user) SourcePackage: nautilus UpgradeStatus: No upgrade log present (probably fresh install) usr_lib_nautilus: file-roller 43.0-1 nautilus-extension-gnome-terminal 3.46.2-1ubuntu1 A bug for the triage/patching of CVE-2022-37290. In get_basename() and g_file_get_basename(), when the file name cannot be parsed, NULL is returned; Nautilus does not check this and this results in a NPD and a crash. The issue on GNOME GitLab explains this pretty well: https://gitlab.gnome.org/GNOME/nautilus/-/issues/2376 And the code in question is also in Nemo and Caja. History of the code: The faulty code was introduced in Nautilus 2.20, before Nemo and Caja were forked; these file managers have the same issue and same code in the function. The simplest POC I found was running this via DBus, which I'm not 100% sure if I've altered correctly for Nemo and Caja, but regardless for Nautilus this results in a crash. ``` Nov 27 20:38:32 Joshua-2210Test nautilus[5433]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed Nov 27 20:38:32 Joshua-2210Test kernel: [ 825.449866] pool-org.gnome.[5439]: segfault at 0 ip 00007f3058c6c570 sp 00007f3051dfa968 error 4 in libglib-2.0.so.0.7400.0[7f3058c03000+8f000] Nov 27 20:38:32 Joshua-2210Test kernel: [ 825.449878] Code: 0f 85 bc fe ff ff e9 42 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 48 89 d1 48 85 f6 0f 89 b0 00 00 00 <0f> b6 07 84 c0 75 15 eb 27 0f 1f 80 00 00 00 00 0f b6 42 01 48 8d ``` Attached is the poc.py, made by Wu Chunming. ** Nemo ** Upstream, version 5.6.0: (more advanced/verbose) upstream patch: https://github.com/linuxmint/nemo/commit/b9953e61f61724f46740ac77317720549cdf6005 possible further problems: https://github.com/linuxmint/nemo/commit/33c37a82e88a8e6b289b3b0d2010ce0caece4bdb ProblemType: Bug DistroRelease: Ubuntu 22.10 Package: nautilus 1:43.0-1ubuntu1 ProcVersionSignature: Ubuntu 5.19.0-23.24-generic 5.19.7 Uname: Linux 5.19.0-23-generic x86_64 ApportVersion: 2.23.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sun Nov 27 20:41:20 2022 GsettingsChanges: InstallationDate: Installed on 2022-09-18 (70 days ago) InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220918) ProcEnviron:  SHELL=/bin/bash  LANG=en_US.UTF-8  TERM=xterm-256color  XDG_RUNTIME_DIR=<set>  PATH=(custom, no user) SourcePackage: nautilus UpgradeStatus: No upgrade log present (probably fresh install) usr_lib_nautilus:  file-roller 43.0-1  nautilus-extension-gnome-terminal 3.46.2-1ubuntu1
2022-11-28 01:54:25 Joshua Peisach bug added subscriber Ubuntu Cinnamon Developers
2022-11-28 09:41:37 fossfreedom bug added subscriber fossfreedom
2022-11-28 09:42:19 fossfreedom nominated for series Ubuntu Focal
2022-11-28 09:42:19 fossfreedom bug task added nautilus (Ubuntu Focal)
2022-11-28 09:42:19 fossfreedom bug task added nemo (Ubuntu Focal)
2022-11-28 09:42:19 fossfreedom bug task added caja (Ubuntu Focal)
2022-11-28 09:42:19 fossfreedom nominated for series Ubuntu Jammy
2022-11-28 09:42:19 fossfreedom bug task added nautilus (Ubuntu Jammy)
2022-11-28 09:42:19 fossfreedom bug task added nemo (Ubuntu Jammy)
2022-11-28 09:42:19 fossfreedom bug task added caja (Ubuntu Jammy)
2022-11-28 09:42:19 fossfreedom nominated for series Ubuntu Kinetic
2022-11-28 09:42:19 fossfreedom bug task added nautilus (Ubuntu Kinetic)
2022-11-28 09:42:19 fossfreedom bug task added nemo (Ubuntu Kinetic)
2022-11-28 09:42:19 fossfreedom bug task added caja (Ubuntu Kinetic)
2022-11-28 09:42:19 fossfreedom nominated for series Ubuntu Lunar
2022-11-28 09:42:19 fossfreedom bug task added nautilus (Ubuntu Lunar)
2022-11-28 09:42:19 fossfreedom bug task added nemo (Ubuntu Lunar)
2022-11-28 09:42:19 fossfreedom bug task added caja (Ubuntu Lunar)
2022-11-30 18:18:59 Steve Beattie information type Private Security Public Security
2022-11-30 20:21:02 Joshua Peisach nemo (Ubuntu Lunar): assignee Joshua Peisach (itzswirlz)
2022-11-30 20:21:20 Joshua Peisach nemo (Ubuntu Focal): assignee Joshua Peisach (itzswirlz)
2022-11-30 20:21:29 Joshua Peisach nemo (Ubuntu Jammy): assignee Joshua Peisach (itzswirlz)
2022-11-30 20:21:39 Joshua Peisach nemo (Ubuntu Kinetic): assignee Joshua Peisach (itzswirlz)
2023-01-05 13:57:32 Joshua Peisach nemo (Ubuntu Lunar): status New Fix Committed
2023-01-05 22:10:32 Joshua Peisach nautilus (Ubuntu Kinetic): status New Fix Released
2023-01-05 22:11:10 Joshua Peisach nautilus (Ubuntu Lunar): status New Fix Released
2023-01-05 22:11:21 Joshua Peisach nautilus (Ubuntu Jammy): status New Fix Released
2023-01-05 22:11:48 Joshua Peisach nautilus (Ubuntu Focal): status New Fix Released
2023-01-06 21:09:07 Joshua Peisach attachment added nemo_5.4.3-2ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/1998060/+attachment/5639800/+files/nemo_5.4.3-2ubuntu0.1.debdiff
2023-01-06 21:09:18 Joshua Peisach nemo (Ubuntu Kinetic): status New In Progress
2023-01-07 00:24:14 Ubuntu Foundations Team Bug Bot tags amd64 apport-bug bionic focal jammy kinetic wayland-session amd64 apport-bug bionic focal jammy kinetic patch wayland-session
2023-01-07 00:24:22 Ubuntu Foundations Team Bug Bot bug added subscriber Ubuntu Security Sponsors Team
2023-02-11 23:09:59 Joshua Peisach attachment added Screenshot from 2023-02-11 18-09-13.png https://bugs.launchpad.net/ubuntu/+source/nemo/+bug/1998060/+attachment/5646439/+files/Screenshot%20from%202023-02-11%2018-09-13.png
2023-07-25 11:41:54 Marc Deslauriers nemo (Ubuntu Kinetic): status In Progress Won't Fix
2023-07-25 11:42:04 Marc Deslauriers caja (Ubuntu Kinetic): status New Won't Fix
2023-07-25 11:43:01 Marc Deslauriers removed subscriber Ubuntu Security Sponsors Team