← Back to team overview

desktop-packages team mailing list archive

[Bug 1502912] Re: gvfsd-dav: null pointer dereference if server response is not escaped


The attachment "Upstream patch" seems to be a patch.  If it isn't,
please remove the "patch" flag from the attachment, remove the "patch"
tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]

** Tags added: patch

You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gvfs in Ubuntu.

  gvfsd-dav: null pointer dereference if server response is not escaped

Status in gvfs package in Ubuntu:

Bug description:
  My colleague Gustavo Nunes Pereira has found that gvfsd-dav was
  crashing with a SEGFAULT on some of our WebDAV mounts. I'm not sure if
  this is exploitable, but it is caused by a null pointer dereference
  when listing remote files in a directory if the server returns a non-
  escaped filename.

  A backtrace follows:

  (gdb) bt
  #0  strlen () at ../sysdeps/x86_64/strlen.S:106
  #1  0x000000000040ab4c in path_equal (
      a=a@entry=0x7fffd80cc150 "/alfresco/webdav/Sites/editaisproad/documentLibrary/Editais_PROAD/ARQUIVOS EDNA-EDLAINE/justificativa_25%.docx", 
      b=<optimized out>, relax=1) at gvfsbackenddav.c:243
  #2  0x000000000040b9f9 in path_equal (relax=1, b=<optimized out>, 
      a=0x7fffd80cc150 "/alfresco/webdav/Sites/editaisproad/documentLibrary/Editais_PROAD/ARQUIVOS EDNA-EDLAINE/justificativa_25%.docx")
      at gvfsbackenddav.c:237
  #3  multistatus_get_response (resp_iter=resp_iter@entry=0x7fffe3dfbd50, response=response@entry=0x7fffe3dfbd30) at gvfsbackenddav.c:856
  #4  0x000000000040c8ee in do_enumerate (backend=<optimized out>, job=0x63f190, filename=<optimized out>, matcher=<optimized out>, flags=<optimized out>)
      at gvfsbackenddav.c:2211
  #5  0x00007ffff7bc4dea in g_vfs_job_run (job=0x63f190) at gvfsjob.c:197
  #6  0x00007ffff64d488c in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
  #7  0x00007ffff64d3f05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
  #8  0x00007ffff6250182 in start_thread (arg=0x7fffe3dfc700) at pthread_create.c:312
  #9  0x00007ffff5f7d47d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

  This bug cannot be reproduced using the master branch from the gvfs
  repository. It was already fixed by upstream commit
  which can be applied cleanly against Ubuntu's gvfs 1.20.3.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: gvfs 1.20.3-0ubuntu1.2
  ProcVersionSignature: Ubuntu 3.13.0-65.105-generic 3.13.11-ckt26
  Uname: Linux 3.13.0-65-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.14.1-0ubuntu3.15
  Architecture: amd64
  Date: Mon Oct  5 10:44:59 2015
  InstallationDate: Installed on 2014-07-10 (451 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  SourcePackage: gvfs
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to: