© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Please review the attached debdiff as a suggested fix for this issue.
From debian/changelog:
* SECURITY UPDATE: Integer overflow when handling large bson objects (LP: #1830865)
- lib/bson/bson.c, lib/bson/bson.h, src/whoopsie.c: use size_t
for size instead of int to prevent integer overflows.
- lib/bson/bson.c: ensure bson objects are not bigger than INT_MAX.
- CVE-2019-11484
* src/whoopsie.c: prevent freeing a NULL server response string.
Additional comments:
I have modified some int's used for size even in functions that are not used by whoopsie so we are not hit by this again in case whoopsie changes.
I added a check on size so it does not go over bson int32 specification and I modified a check so it always verifies that the total size is also under max int32 - previously it only did this check 'if( new_size < b->dataSize )'.
Whoopsie would try to free the 's' string even when bsonify failed, thus triggering a NULL assert, so I moved the string declaration and the free call inside the scope of the crash file upload.