Comment 0 for bug 1882180

Hi,

I have found a security issue on whoopsie 0.2.69 and earlier.

## Vulnerability in whoopsie
- whoopsie 0.2.69 and earlier have a improper input validation vulnerability.
- A large amount of key-value pairs in crash report causes an exception of a type that was not handled properly in the parse_report() and leads an unexpected termination.
- An attacker can cause a denial of service (application crash) via a crafted .crash file.

## Basic
When a program has been crashed, Linux system tries to create a '.crash' file on '/var/crash/' directory with python script located in '/usr/share/apport/apport'.
The file contains a series of system crash information including core dump, syslog, stack trace, memory map info, etc.
A user is given read and write permission to the file.
After then, whoopsie parses key-value pairs in ‘.crash’ file and encodes it into binary json (bson) format.
Lastly, whoopsie forwards the data to a remotely connected Ubuntu error report system.

## Vulnerability
We have found an unhandled exception vulnerability when the amount of key-value pair(s) exceeds available memory space.
whoopsie measures the size of key and value respectively and allocates memory on the basis of the results directly.
Here, an allocator can fail to allocate the memory when it was a lack of space.
Unfortunately, whoopsie does not provide a proper error handling if it were above.
whoopsie can fail to trap exception on malformed crash file declaration and results in denial-of-service.

## Attack
1) Create a fake.crash file
unhandled_exception_poc.py script measures an available memory and generates a malicious crash file that contains a large amount of key-value pair that exceeds the available memory.
2) Trigger the whoopsie to read the fake.crash file
- Just create ‘fake.upload’ file by touch command.
3) Check the result
- It results in denial-of-service which allows all users to prevent crash handling.

Sincerely,