desktop-packages team mailing list archive

Thread
Date

[Bug 1502912] Re: gvfsd-dav: null pointer dereference if server response is not escaped

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1502912@xxxxxxxxxxxxxxxxxx>
Date: Mon, 05 Oct 2015 23:16:37 -0000
Reply-to: Bug 1502912 <1502912@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

See also https://bugzilla.gnome.org/show_bug.cgi?id=743298

** Information type changed from Private Security to Public Security

** Bug watch added: GNOME Bug Tracker #743298
   https://bugzilla.gnome.org/show_bug.cgi?id=743298

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gvfs in Ubuntu.
https://bugs.launchpad.net/bugs/1502912

Title:
  gvfsd-dav: null pointer dereference if server response is not escaped

Status in gvfs package in Ubuntu:
  New

Bug description:
  My colleague Gustavo Nunes Pereira has found that gvfsd-dav was
  crashing with a SEGFAULT on some of our WebDAV mounts. I'm not sure if
  this is exploitable, but it is caused by a null pointer dereference
  when listing remote files in a directory if the server returns a non-
  escaped filename.

  A backtrace follows:

  (gdb) bt
  #0  strlen () at ../sysdeps/x86_64/strlen.S:106
  #1  0x000000000040ab4c in path_equal (
      a=a@entry=0x7fffd80cc150 "/alfresco/webdav/Sites/editaisproad/documentLibrary/Editais_PROAD/ARQUIVOS EDNA-EDLAINE/justificativa_25%.docx", 
      b=<optimized out>, relax=1) at gvfsbackenddav.c:243
  #2  0x000000000040b9f9 in path_equal (relax=1, b=<optimized out>, 
      a=0x7fffd80cc150 "/alfresco/webdav/Sites/editaisproad/documentLibrary/Editais_PROAD/ARQUIVOS EDNA-EDLAINE/justificativa_25%.docx")
      at gvfsbackenddav.c:237
  #3  multistatus_get_response (resp_iter=resp_iter@entry=0x7fffe3dfbd50, response=response@entry=0x7fffe3dfbd30) at gvfsbackenddav.c:856
  #4  0x000000000040c8ee in do_enumerate (backend=<optimized out>, job=0x63f190, filename=<optimized out>, matcher=<optimized out>, flags=<optimized out>)
      at gvfsbackenddav.c:2211
  #5  0x00007ffff7bc4dea in g_vfs_job_run (job=0x63f190) at gvfsjob.c:197
  #6  0x00007ffff64d488c in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
  #7  0x00007ffff64d3f05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
  #8  0x00007ffff6250182 in start_thread (arg=0x7fffe3dfc700) at pthread_create.c:312
  #9  0x00007ffff5f7d47d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

  This bug cannot be reproduced using the master branch from the gvfs
  repository. It was already fixed by upstream commit
  https://git.gnome.org/browse/gvfs/patch/?id=f81ff2108ab3b6e370f20dcadd8708d23f499184
  which can be applied cleanly against Ubuntu's gvfs 1.20.3.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: gvfs 1.20.3-0ubuntu1.2
  ProcVersionSignature: Ubuntu 3.13.0-65.105-generic 3.13.11-ckt26
  Uname: Linux 3.13.0-65-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.14.1-0ubuntu3.15
  Architecture: amd64
  Date: Mon Oct  5 10:44:59 2015
  InstallationDate: Installed on 2014-07-10 (451 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  SourcePackage: gvfs
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1502912/+subscriptions