*** This bug is a security vulnerability *** You have been subscribed to a private security bug by Joshua Peisach (itzswirlz):
A bug for the triage/patching of CVE-2022-37290. In get_basename() and g_file_get_basename(), when the file name cannot be parsed, NULL is returned; Nautilus does not check this and this results in a NPD and a crash. The issue on GNOME GitLab explains this pretty well: https://gitlab.gnome.org/GNOME/nautilus/-/issues/2376 And the code in question is also in Nemo and Caja. History of the code: The faulty code was introduced in Nautilus 2.20, before Nemo and Caja were forked; these file managers have the same issue and same code in the function. The simplest POC I found was running this via DBus, which I'm not 100% sure if I've altered correctly for Nemo and Caja, but regardless for Nautilus this results in a crash. ``` Nov 27 20:38:32 Joshua-2210Test nautilus[5433]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed Nov 27 20:38:32 Joshua-2210Test kernel: [ 825.449866] pool-org.gnome.[5439]: segfault at 0 ip 00007f3058c6c570 sp 00007f3051dfa968 error 4 in libglib-2.0.so.0.7400.0[7f3058c03000+8f000] Nov 27 20:38:32 Joshua-2210Test kernel: [ 825.449878] Code: 0f 85 bc fe ff ff e9 42 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 48 89 d1 48 85 f6 0f 89 b0 00 00 00 <0f> b6 07 84 c0 75 15 eb 27 0f 1f 80 00 00 00 00 0f b6 42 01 48 8d ``` Attached is the poc.py, made by Wu Chunming. ** Nemo ** Upstream, version 5.6.0: (more advanced/verbose) upstream patch: https://github.com/linuxmint/nemo/commit/b9953e61f61724f46740ac77317720549cdf6005 possible further problems: https://github.com/linuxmint/nemo/commit/33c37a82e88a8e6b289b3b0d2010ce0caece4bdb ProblemType: Bug DistroRelease: Ubuntu 22.10 Package: nautilus 1:43.0-1ubuntu1 ProcVersionSignature: Ubuntu 5.19.0-23.24-generic 5.19.7 Uname: Linux 5.19.0-23-generic x86_64 ApportVersion: 2.23.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sun Nov 27 20:41:20 2022 GsettingsChanges: InstallationDate: Installed on 2022-09-18 (70 days ago) InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220918) ProcEnviron: SHELL=/bin/bash LANG=en_US.UTF-8 TERM=xterm-256color XDG_RUNTIME_DIR=<set> PATH=(custom, no user) SourcePackage: nautilus UpgradeStatus: No upgrade log present (probably fresh install) usr_lib_nautilus: file-roller 43.0-1 nautilus-extension-gnome-terminal 3.46.2-1ubuntu1 ** Affects: caja (Ubuntu) Importance: Undecided Status: New ** Affects: nautilus (Ubuntu) Importance: Undecided Status: New ** Affects: nemo (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic focal jammy kinetic wayland-session -- CVE-2022-37290: Pasted zip archive/invalid file causes NPD https://bugs.launchpad.net/bugs/1998060 You received this bug notification because you are a member of Ubuntu Cinnamon Developers, which is subscribed to the bug report. -- universe-bugs mailing list universe-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/universe-bugs