Fix in version 5.6.1, sitting in proposed
** Changed in: nemo (Ubuntu Lunar)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to nautilus in Ubuntu.
https://bugs.launchpad.net/bugs/1998060
Title:
CVE-2022-37290: Pasted zip archive/invalid file causes NPD
Status in caja package in Ubuntu:
New
Status in nautilus package in Ubuntu:
New
Status in nemo package in Ubuntu:
Fix Committed
Status in caja source package in Focal:
New
Status in nautilus source package in Focal:
New
Status in nemo source package in Focal:
New
Status in caja source package in Jammy:
New
Status in nautilus source package in Jammy:
New
Status in nemo source package in Jammy:
New
Status in caja source package in Kinetic:
New
Status in nautilus source package in Kinetic:
New
Status in nemo source package in Kinetic:
New
Status in caja source package in Lunar:
New
Status in nautilus source package in Lunar:
New
Status in nemo source package in Lunar:
Fix Committed
Bug description:
A bug for the triage/patching of CVE-2022-37290.
In get_basename() and g_file_get_basename(), when the file name cannot
be parsed, NULL is returned; Nautilus does not check this and this
results in a NPD and a crash.
The issue on GNOME GitLab explains this pretty well:
https://gitlab.gnome.org/GNOME/nautilus/-/issues/2376
And the code in question is also in Nemo and Caja.
History of the code: The faulty code was introduced in Nautilus 2.20,
before Nemo and Caja were forked; these file managers have the same
issue and same code in the function.
The simplest POC I found was running this via DBus, which I'm not 100%
sure if I've altered correctly for Nemo and Caja, but regardless for
Nautilus this results in a crash.
```
Nov 27 20:38:32 Joshua-2210Test nautilus[5433]: g_object_ref: assertion
'G_IS_OBJECT (object)' failed
Nov 27 20:38:32 Joshua-2210Test kernel: [ 825.449866] pool-org.gnome.[5439]:
segfault at 0 ip 00007f3058c6c570 sp 00007f3051dfa968 error 4 in
libglib-2.0.so.0.7400.0[7f3058c03000+8f000]
Nov 27 20:38:32 Joshua-2210Test kernel: [ 825.449878] Code: 0f 85 bc fe ff
ff e9 42 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 48
89 d1 48 85 f6 0f 89 b0 00 00 00 <0f> b6 07 84 c0 75 15 eb 27 0f 1f 80 00 00 00
00 0f b6 42 01 48 8d
```
Attached is the poc.py, made by Wu Chunming.
** Nemo **
Upstream, version 5.6.0:
(more advanced/verbose) upstream patch:
https://github.com/linuxmint/nemo/commit/b9953e61f61724f46740ac77317720549cdf6005
possible further problems:
https://github.com/linuxmint/nemo/commit/33c37a82e88a8e6b289b3b0d2010ce0caece4bdb
ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: nautilus 1:43.0-1ubuntu1
ProcVersionSignature: Ubuntu 5.19.0-23.24-generic 5.19.7
Uname: Linux 5.19.0-23-generic x86_64
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Sun Nov 27 20:41:20 2022
GsettingsChanges:
InstallationDate: Installed on 2022-09-18 (70 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220918)
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.UTF-8
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
PATH=(custom, no user)
SourcePackage: nautilus
UpgradeStatus: No upgrade log present (probably fresh install)
usr_lib_nautilus:
file-roller 43.0-1
nautilus-extension-gnome-terminal 3.46.2-1ubuntu1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/caja/+bug/1998060/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
