** Attachment removed: "PoC.tar.bz2" https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830863/+attachment/5267311/+files/PoC.tar.bz2
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1830863 Title: Integer overflow in parse_report (whoopsie.c:425) Status in Whoopsie: New Status in whoopsie package in Ubuntu: Fix Released Bug description: Dear Ubuntu Security Team, I would like to report an integer overflow vulnerability in whoopsie. In combination with issue 1830858, this vulnerability may enable an local attacker to read arbitrary files on the system. I have attached a proof-of-concept which triggers the vulnerability. I have tested it on an up-to-date Ubuntu 18.04. Run it as follows: bunzip2 PoC.tar.bz2 tar -xf PoC.tar cd PoC make ./killwhoopsie1 The PoC works by creating a file named `/var/crash/killwhoopsie.crash`, just over 4GB in size. It then creates a file named `/var/crash/killwhoopsie.upload`, which prompts whoopsie to start processing the .crash file. Be aware that whoopsie will keep restarting and crash repeatedly until you remove the files from /var/crash. This is the source location of the integer overflow bug: http://bazaar.launchpad.net/~daisy- pluckers/whoopsie/trunk/view/698/src/whoopsie.c#L425 The problem is that the type of value_pos is int, but the size of the file can be larger than INT_MAX. My PoC arranges things such that value_pos == -16, leading to an out-of-bounds write on line 440. Please let me know when you have fixed the vulnerability, so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy Thank you, Kevin Backhouse Semmle Security Research Team To manage notifications about this bug go to: https://bugs.launchpad.net/whoopsie/+bug/1830863/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp