[Touch-packages] [Bug 1881982] Re: DoS vulnerability: cause resource exhaustion
** Changed in: whoopsie (Ubuntu) Status: New => Confirmed ** Changed in: whoopsie (Ubuntu) Assignee: (unassigned) => Alex Murray (alexmurray) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: DoS vulnerability: cause resource exhaustion Status in whoopsie package in Ubuntu: Confirmed Bug description: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. # Vulnerability description The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. This results in the process being terminated by the OOM killer. # Details We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g -hash-table-insert # PoC (*Please check the below PoC: whoopsie_killer.py) 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. 2) Trigger the whoopsie to read the generated crash file. 3) After then, the whoopsie process has been killed. # Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch) We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1881982] Re: DoS vulnerability: cause resource exhaustion
** Changed in: whoopsie (Ubuntu) Assignee: Alex Murray (alexmurray) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: DoS vulnerability: cause resource exhaustion Status in whoopsie package in Ubuntu: Confirmed Bug description: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. # Vulnerability description The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. This results in the process being terminated by the OOM killer. # Details We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g -hash-table-insert # PoC (*Please check the below PoC: whoopsie_killer.py) 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. 2) Trigger the whoopsie to read the generated crash file. 3) After then, the whoopsie process has been killed. # Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch) We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1881982] Re: DoS vulnerability: cause resource exhaustion
https://github.com/sungjungk/whoopsie_killer -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: DoS vulnerability: cause resource exhaustion Status in whoopsie package in Ubuntu: Confirmed Bug description: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. # Vulnerability description The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. This results in the process being terminated by the OOM killer. # Details We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g -hash-table-insert # PoC (*Please check the below PoC: whoopsie_killer.py) 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. 2) Trigger the whoopsie to read the generated crash file. 3) After then, the whoopsie process has been killed. # Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch) We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1881982] Re: DoS vulnerability: cause resource exhaustion
** Also affects: whoopsie (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: whoopsie (Ubuntu Groovy) Importance: Medium Assignee: Marc Deslauriers (mdeslaur) Status: Confirmed ** Also affects: whoopsie (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: whoopsie (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: whoopsie (Ubuntu Eoan) Importance: Undecided Status: New ** Changed in: whoopsie (Ubuntu Xenial) Status: New => Confirmed ** Changed in: whoopsie (Ubuntu Bionic) Status: New => Confirmed ** Changed in: whoopsie (Ubuntu Eoan) Status: New => Confirmed ** Changed in: whoopsie (Ubuntu Focal) Status: New => Confirmed ** Changed in: whoopsie (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: whoopsie (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: whoopsie (Ubuntu Eoan) Importance: Undecided => Medium ** Changed in: whoopsie (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: whoopsie (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: whoopsie (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: whoopsie (Ubuntu Eoan) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: whoopsie (Ubuntu Focal) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: DoS vulnerability: cause resource exhaustion Status in whoopsie package in Ubuntu: Confirmed Status in whoopsie source package in Xenial: Confirmed Status in whoopsie source package in Bionic: Confirmed Status in whoopsie source package in Eoan: Confirmed Status in whoopsie source package in Focal: Confirmed Status in whoopsie source package in Groovy: Confirmed Bug description: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. # Vulnerability description The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. This results in the process being terminated by the OOM killer. # Details We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g -hash-table-insert # PoC (*Please check the below PoC: whoopsie_killer.py) 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. 2) Trigger the whoopsie to read the generated crash file. 3) After then, the whoopsie process has been killed. # Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch) We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1881982] Re: DoS vulnerability: cause resource exhaustion
Please use CVE-2020-11937 for this issue. Thanks. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11937 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: DoS vulnerability: cause resource exhaustion Status in whoopsie package in Ubuntu: Confirmed Status in whoopsie source package in Xenial: Confirmed Status in whoopsie source package in Bionic: Confirmed Status in whoopsie source package in Eoan: Confirmed Status in whoopsie source package in Focal: Confirmed Status in whoopsie source package in Groovy: Confirmed Bug description: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. # Vulnerability description The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. This results in the process being terminated by the OOM killer. # Details We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g -hash-table-insert # PoC (*Please check the below PoC: whoopsie_killer.py) 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. 2) Trigger the whoopsie to read the generated crash file. 3) After then, the whoopsie process has been killed. # Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch) We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1881982] Re: DoS vulnerability: cause resource exhaustion
This bug was fixed in the package whoopsie - 0.2.69ubuntu0.1 --- whoopsie (0.2.69ubuntu0.1) focal-security; urgency=medium * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560) - lib/bson/*: updated to latest upstream release. - CVE-2020-12135 * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982) - src/whoopsie.c, src/tests/test_parse_report.c: properly handle GHashTable. - CVE-2020-11937 * SECURITY UPDATE: DoS via large data length (LP: #1882180) - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit the size of a report file. - CVE-2020-15570 -- Marc Deslauriers Fri, 24 Jul 2020 08:55:26 -0400 ** Changed in: whoopsie (Ubuntu Focal) Status: Confirmed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12135 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15570 ** Changed in: whoopsie (Ubuntu Xenial) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: DoS vulnerability: cause resource exhaustion Status in whoopsie package in Ubuntu: Confirmed Status in whoopsie source package in Xenial: Fix Released Status in whoopsie source package in Bionic: Fix Released Status in whoopsie source package in Eoan: Confirmed Status in whoopsie source package in Focal: Fix Released Status in whoopsie source package in Groovy: Confirmed Bug description: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. # Vulnerability description The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. This results in the process being terminated by the OOM killer. # Details We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g -hash-table-insert # PoC (*Please check the below PoC: whoopsie_killer.py) 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. 2) Trigger the whoopsie to read the generated crash file. 3) After then, the whoopsie process has been killed. # Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch) We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1881982] Re: DoS vulnerability: cause resource exhaustion
This bug was fixed in the package whoopsie - 0.2.52.5ubuntu0.5 --- whoopsie (0.2.52.5ubuntu0.5) xenial-security; urgency=medium * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560) - lib/bson/*: updated to latest upstream release. - CVE-2020-12135 * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982) - src/whoopsie.c, src/tests/test_parse_report.c: properly handle GHashTable. - CVE-2020-11937 * SECURITY UPDATE: DoS via large data length (LP: #1882180) - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit the size of a report file. - CVE-2020-15570 -- Marc Deslauriers Fri, 24 Jul 2020 08:55:26 -0400 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: DoS vulnerability: cause resource exhaustion Status in whoopsie package in Ubuntu: Confirmed Status in whoopsie source package in Xenial: Fix Released Status in whoopsie source package in Bionic: Fix Released Status in whoopsie source package in Eoan: Confirmed Status in whoopsie source package in Focal: Fix Released Status in whoopsie source package in Groovy: Confirmed Bug description: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. # Vulnerability description The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. This results in the process being terminated by the OOM killer. # Details We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g -hash-table-insert # PoC (*Please check the below PoC: whoopsie_killer.py) 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. 2) Trigger the whoopsie to read the generated crash file. 3) After then, the whoopsie process has been killed. # Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch) We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1881982] Re: DoS vulnerability: cause resource exhaustion
This bug was fixed in the package whoopsie - 0.2.62ubuntu0.5 --- whoopsie (0.2.62ubuntu0.5) bionic-security; urgency=medium * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560) - lib/bson/*: updated to latest upstream release. - CVE-2020-12135 * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982) - src/whoopsie.c, src/tests/test_parse_report.c: properly handle GHashTable. - CVE-2020-11937 * SECURITY UPDATE: DoS via large data length (LP: #1882180) - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit the size of a report file. - CVE-2020-15570 -- Marc Deslauriers Fri, 24 Jul 2020 08:55:26 -0400 ** Changed in: whoopsie (Ubuntu Bionic) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: DoS vulnerability: cause resource exhaustion Status in whoopsie package in Ubuntu: Confirmed Status in whoopsie source package in Xenial: Fix Released Status in whoopsie source package in Bionic: Fix Released Status in whoopsie source package in Eoan: Confirmed Status in whoopsie source package in Focal: Fix Released Status in whoopsie source package in Groovy: Confirmed Bug description: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. # Vulnerability description The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. This results in the process being terminated by the OOM killer. # Details We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g -hash-table-insert # PoC (*Please check the below PoC: whoopsie_killer.py) 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. 2) Trigger the whoopsie to read the generated crash file. 3) After then, the whoopsie process has been killed. # Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch) We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1881982] Re: DoS vulnerability: cause resource exhaustion
This bug was fixed in the package whoopsie - 0.2.71 --- whoopsie (0.2.71) groovy; urgency=medium [ Marc Deslauriers ] * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560) - lib/bson/*: updated to latest upstream release. - CVE-2020-12135 * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982) - src/whoopsie.c, src/tests/test_parse_report.c: properly handle GHashTable. - CVE-2020-11937 * SECURITY UPDATE: DoS via large data length (LP: #1882180) - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit the size of a report file. - CVE-2020-15570 -- Brian Murray Wed, 05 Aug 2020 15:00:45 -0700 ** Changed in: whoopsie (Ubuntu Groovy) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: DoS vulnerability: cause resource exhaustion Status in whoopsie package in Ubuntu: Fix Released Status in whoopsie source package in Xenial: Fix Released Status in whoopsie source package in Bionic: Fix Released Status in whoopsie source package in Eoan: Confirmed Status in whoopsie source package in Focal: Fix Released Status in whoopsie source package in Groovy: Fix Released Bug description: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. # Vulnerability description The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. This results in the process being terminated by the OOM killer. # Details We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g -hash-table-insert # PoC (*Please check the below PoC: whoopsie_killer.py) 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. 2) Trigger the whoopsie to read the generated crash file. 3) After then, the whoopsie process has been killed. # Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch) We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1881982] Re: DoS vulnerability: cause resource exhaustion
The Eoan Ermine has reached end of life, so this bug will not be fixed for that release ** Changed in: whoopsie (Ubuntu Eoan) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: DoS vulnerability: cause resource exhaustion Status in whoopsie package in Ubuntu: Fix Released Status in whoopsie source package in Xenial: Fix Released Status in whoopsie source package in Bionic: Fix Released Status in whoopsie source package in Eoan: Won't Fix Status in whoopsie source package in Focal: Fix Released Status in whoopsie source package in Groovy: Fix Released Bug description: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. # Vulnerability description The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. This results in the process being terminated by the OOM killer. # Details We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g -hash-table-insert # PoC (*Please check the below PoC: whoopsie_killer.py) 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. 2) Trigger the whoopsie to read the generated crash file. 3) After then, the whoopsie process has been killed. # Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch) We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
