DoS vulnerability: fail to allocate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
whoopsie (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Xenial |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Bionic |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Eoan |
Won't Fix
|
Undecided
|
Marc Deslauriers | ||
Focal |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Groovy |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
Hi,
I have found a security issue on whoopsie 0.2.69 and earlier.
# Vulnerability description
In whoopsie 0.2.69 and earlier, there is a denial of service vulnerability in the parse_report function.
A crafted input, i.e., crash report located in '/var/crash/', will lead to a denial of service attack.
During the parsing of the crash report, the data length is not checked.
The value of data length can be directly controlled by an input file.
In the parse_report() function, the g_malloc or g_realloc is called based on data length.
If we set the value of data length close to the amount of system memory, it will cause the daemon process to terminate unexpectedly, hang the system, or trigger the OOM killer.
# PoC
Please check the below whoopsie_killer2.py
Sincerely,
Related branches
CVE References
Changed in whoopsie (Ubuntu): | |
status: | New → Confirmed |
assignee: | nobody → Alex Murray (alexmurray) |
Changed in whoopsie (Ubuntu Xenial): | |
status: | New → Confirmed |
assignee: | nobody → Alex Murray (alexmurray) |
Changed in whoopsie (Ubuntu Bionic): | |
status: | New → Confirmed |
assignee: | nobody → Alex Murray (alexmurray) |
Changed in whoopsie (Ubuntu Focal): | |
status: | New → Confirmed |
assignee: | nobody → Alex Murray (alexmurray) |
Changed in whoopsie (Ubuntu Eoan): | |
status: | New → Confirmed |
assignee: | nobody → Alex Murray (alexmurray) |
This is PoC source code.