*** This bug is a security vulnerability *** Public security bug reported:
fmt doesn't check filetypes of the input arguments passed to it, it just opens the file and reads from it without checking its st_mode. It only throws an error if the file doesn't exist and can't handle the following filetypes - S_IFCHR, S_IFBLK and S_IFBLK. Passing a file from any of these types will possibly hang or crash the application. For more reference, please visit the below link- (https://github.com/pkmoore/rrapper/blob/master/anomalies/weird_filetypes.md) I have attached a patch that checks for the above mentioned filetypes and handles them accordingly. Please let me know if you have any questions or suggestions regarding this, will be happy to answer them. Thank you Snahil Singh ss11...@nyu.edu ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: coreutils 8.28-1ubuntu1 ProcVersionSignature: Ubuntu 4.15.0-39.42-generic 4.15.18 Uname: Linux 4.15.0-39-generic i686 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: i386 CurrentDesktop: XFCE Date: Tue Dec 11 20:01:58 2018 ExecutablePath: /usr/bin/fmt InstallationDate: Installed on 2018-11-07 (35 days ago) InstallationMedia: Xubuntu 18.04 LTS "Bionic Beaver" - Release i386 (20180426) SourcePackage: coreutils UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: coreutils (Ubuntu) Importance: Undecided Status: New ** Tags: apport-bug bionic i386 ** Patch added: "Patch to check and handle filetypes in fmt" https://bugs.launchpad.net/bugs/1808092/+attachment/5221538/+files/fmt.patch ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1808092 Title: Checking and handling various filetypes in fmt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/coreutils/+bug/1808092/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
