Hello,
I reported 3 bugs (878732, 878733, 878745)
In fact, 878745 is a duplicate of 878732.
But I should have reported it again because I attached wrong poc file in 878732.
So you can regenerate this bug using the attached file in 878745.
And after analyzing this issue, I thought that two bugs are different.
<bt after segfault using poc file in 878745>
(gdb) r --conf poc
Starting program: /home/june/project/analyze/bins/ufraw-0.22/ufraw-batch --conf
poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Error parsing 'poc'
Error on line 1 char 1: Document must begin with an element (e.g. <book>)
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x0000555555608809 in ufraw_batch_messenger (message=0x0) at
ufraw_message.c:126
#2 0x0000000000099085 in ?? ()
#3 0x0000555555608b33 in ufraw_message (code=code@entry=208,
format=format@entry=0x0)
at ufraw_message.c:187
#4 0x0000555555600b1b in conf_file_load (conf=0x7fffffff3180,
confFilename=<optimized out>)
at ufraw_conf.c:907
#5 0x00005555555ea712 in main (argc=<optimized out>, argv=<optimized out>) at
ufraw-batch.c:59
<bt after segfault using poc file in 878733>
(gdb) r --conf poc
Starting program: /home/june/project/analyze/bins/ufraw-0.22/ufraw-batch --conf
poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7910823 in g_markup_parse_context_end_parse () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
(gdb) bt
#0 0x00007ffff7910823 in g_markup_parse_context_end_parse ()
from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#1 0x00005555556007e0 in conf_load (c=c@entry=0x7fffffff3180,
IDFilename=0x7fffffff26c8 "poc")
at ufraw_conf.c:858
#2 0x0000555555600b09 in conf_file_load (conf=0x7fffffff3180,
confFilename=<optimized out>)
at ufraw_conf.c:901
#3 0x00005555555ea712 in main (argc=<optimized out>, argv=<optimized out>) at
ufraw-batch.c:59
Please consider above two logs to check that they are really duplicates.
Regards,
Joonun jang.
보낸 사람: Hubert Chathi
보낸 날짜: 2017년 10월 17일 화요일 오전 9:36
받는 사람: Joonun Jang
참조: 878...@bugs.debian.org
제목: Re: Bug#878732: ufraw-batch: NULL pointer dereference when runningwith
--conf option
On Mon, 16 Oct 2017 18:48:16 +0900, Joonun Jang <joonun.j...@gmail.com> said:
> Package: ufraw-batch
> Version: 0.22-1.1
> Severity: normal
> Running 'ufraw-batch --conf' with the attached file raises a NULL
> pointer dereference, which may allow a denial-of-service attack of a
> malicious attacker.
[...]
Hi Joonun,
Thank you for the bug report. It looks like you are passing the poc
file as the argument for the configuration file. I don't think this is
a big security issue, since I don't think that it is normal to pass a
configuration file that was generated by another person. Nevertheless,
it obviously shouldn't segfault. I think that "Severity: normal", as
you've filed it, is the correct severity for this bug.
Thanks
--
Hubert Chathi <uho...@debian.org> -- https://www.uhoreg.ca/
Jabber: hub...@uhoreg.ca -- Matrix: @uhoreg:matrix.org
PGP/GnuPG key: 4096R/F24C F749 6C73 DDB8 DCB8 72DE B2DE 88D3 113A 1368
