Integer overflow in parse_report (whoopsie.c:425)

Bug #1830863 reported by kev on 2019-05-29
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Whoopsie
Undecided
Unassigned
whoopsie (Ubuntu)
Undecided
Unassigned

Bug Description

Dear Ubuntu Security Team,

I would like to report an integer overflow vulnerability in whoopsie. In combination with issue 1830858, this vulnerability may enable an local attacker to read arbitrary files on the system.

I have attached a proof-of-concept which triggers the vulnerability. I have tested it on an up-to-date Ubuntu 18.04. Run it as follows:

bunzip2 PoC.tar.bz2
tar -xf PoC.tar
cd PoC
make
./killwhoopsie1

The PoC works by creating a file named `/var/crash/killwhoopsie.crash`, just over 4GB in size. It then creates a file named `/var/crash/killwhoopsie.upload`, which prompts whoopsie to start processing the .crash file. Be aware that whoopsie will keep restarting and crash repeatedly until you remove the files from /var/crash.

This is the source location of the integer overflow bug:

http://bazaar.launchpad.net/~daisy-pluckers/whoopsie/trunk/view/698/src/whoopsie.c#L425

The problem is that the type of value_pos is int, but the size of the file can be larger than INT_MAX. My PoC arranges things such that value_pos == -16, leading to an out-of-bounds write on line 440.

Please let me know when you have fixed the vulnerability, so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy

Thank you,

Kevin Backhouse

Semmle Security Research Team

Related branches

CVE References

Alex Murray (alexmurray) wrote :

I have assigned CVE-2019-11476 for this issue in whoopsie. Kevin, how should we attribute this? 'Kevin Backhouse' / 'Kevin Backhouse from Semmle Security Research Team' / 'Semmle Security Research Team' or something else?

Alex Murray (alexmurray) wrote :

Kevin, do you have a preferred disclosure date / time for this? I notice your policy says 90 days after initial report or 30 days after patch availability - I will be working on a patch for this issue and hope to have something together in the next week or so - and so would prefer a CRD in about 3-4 weeks time. How would 9th July suit you?

Hi Alex,

Yes, 9th July sounds good. I think it makes sense to disclose this issue on
the same day as issue 1830858.

Thanks,

Kev

On Thu, Jun 13, 2019 at 1:41 PM Alex Murray <email address hidden>
wrote:

> Kevin, do you have a preferred disclosure date / time for this? I notice
> your policy says 90 days after initial report or 30 days after patch
> availability - I will be working on a patch for this issue and hope to
> have something together in the next week or so - and so would prefer a
> CRD in about 3-4 weeks time. How would 9th July suit you?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1830863
>
> Title:
> Integer overflow in parse_report (whoopsie.c:425)
>
> Status in whoopsie package in Ubuntu:
> New
>
> Bug description:
> Dear Ubuntu Security Team,
>
> I would like to report an integer overflow vulnerability in whoopsie.
> In combination with issue 1830858, this vulnerability may enable an
> local attacker to read arbitrary files on the system.
>
> I have attached a proof-of-concept which triggers the vulnerability. I
> have tested it on an up-to-date Ubuntu 18.04. Run it as follows:
>
> bunzip2 PoC.tar.bz2
> tar -xf PoC.tar
> cd PoC
> make
> ./killwhoopsie1
>
> The PoC works by creating a file named
> `/var/crash/killwhoopsie.crash`, just over 4GB in size. It then
> creates a file named `/var/crash/killwhoopsie.upload`, which prompts
> whoopsie to start processing the .crash file. Be aware that whoopsie
> will keep restarting and crash repeatedly until you remove the files
> from /var/crash.
>
> This is the source location of the integer overflow bug:
>
> http://bazaar.launchpad.net/~daisy-
> pluckers/whoopsie/trunk/view/698/src/whoopsie.c#L425
>
> The problem is that the type of value_pos is int, but the size of the
> file can be larger than INT_MAX. My PoC arranges things such that
> value_pos == -16, leading to an out-of-bounds write on line 440.
>
> Please let me know when you have fixed the vulnerability, so that I
> can coordinate my disclosure with yours. For reference, here is a link
> to Semmle's vulnerability disclosure policy:
> https://lgtm.com/security#disclosure_policy
>
> Thank you,
>
> Kevin Backhouse
>
> Semmle Security Research Team
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830863/+subscriptions
>

Alex Murray (alexmurray) wrote :

Thanks.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.52.5ubuntu0.1

---------------
whoopsie (0.2.52.5ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Integer overflow when handling large crash dumps (LP:
    #1830863)
    - src/whoopsie.c: Don't use signed integer types for lengths to ensure
      large crash dumps do not cause signed integer overflow
    - CVE-2019-11476

 -- Alex Murray <email address hidden> Fri, 5 Jul 2019 14:15:25 +0930

Changed in whoopsie (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.62ubuntu1

---------------
whoopsie (0.2.62ubuntu1) cosmic-security; urgency=medium

  * SECURITY UPDATE: Integer overflow when handling large crash dumps (LP:
    #1830863)
    - src/whoopsie.c: Don't use signed integer types for lengths to ensure
      large crash dumps do not cause signed integer overflow
    - CVE-2019-11476

 -- Alex Murray <email address hidden> Fri, 5 Jul 2019 14:15:25 +0930

Changed in whoopsie (Ubuntu):
status: New → Fix Released
Alex Murray (alexmurray) on 2019-07-09
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers