package network-manager-gnome fixed 566625 network-manager-applet/0.7.999-1 quit
This bug seems to be caused by uninitialized GError *error in
network-manager-applet-0.7.2/src/gconf-helpers/nma-gconf-connection.c
(nma_gconf_connection_new). nm-connection-editor did not crash
when I tested with a debug build, because the variable somehow
became NULL then; but if I set error = (GError *) 1 with GDB
after the declaration, then it crashed. Also, valgrind shows the
bug in the debug build without GDB:
==9114== Conditional jump or move depends on uninitialised value(s)
==9114== at 0x756CF1F: g_clear_error (gerror.c:300)
==9114== by 0x441864: nma_gconf_connection_new (nma-gconf-connection.c:83)
==9114== by 0x437905: connection_changes_done (nma-gconf-settings.c:317)
==9114== by 0x757D6F1: g_main_context_dispatch (gmain.c:1960)
==9114== by 0x7581567: g_main_context_iterate (gmain.c:2591)
==9114== by 0x7581A74: g_main_loop_run (gmain.c:2799)
==9114== by 0x41C0BA: main (main.c:291)
The Debian network-manager-gnome 0.7.2-2 binary likewise crashes
somewhere in g_clear_error:
#0 0x00007ffff50b2165 in *__GI_raise (sig=<value optimized out>)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007ffff50b4f70 in *__GI_abort () at abort.c:92
#2 0x00007ffff50e827b in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3 0x00007ffff50f1ad6 in malloc_printerr (action=3,
str=0x7ffff51a89f0 "munmap_chunk(): invalid pointer",
ptr=<value optimized out>) at malloc.c:6267
#4 0x00007ffff540eee2 in IA__g_error_free (error=0x7ffff56bc170)
at /scratch/build-area/glib2.0-2.24.2/glib/gerror.c:138
#5 0x00007ffff540ef26 in IA__g_clear_error (err=0x7fffffffe0b8)
at /scratch/build-area/glib2.0-2.24.2/glib/gerror.c:302
#6 0x000000000043824a in nma_gconf_connection_new ()
#7 0x000000000043096d in ?? ()
#8 0x00007ffff541f6f2 in g_main_dispatch (context=0x68eae0)
at /scratch/build-area/glib2.0-2.24.2/glib/gmain.c:1960
#9 IA__g_main_context_dispatch (context=0x68eae0)
at /scratch/build-area/glib2.0-2.24.2/glib/gmain.c:2513
#10 0x00007ffff5423568 in g_main_context_iterate (context=0x68eae0,
block=<value optimized out>, dispatch=<value optimized out>,
self=<value optimized out>)
at /scratch/build-area/glib2.0-2.24.2/glib/gmain.c:2591
#11 0x00007ffff5423a75 in IA__g_main_loop_run (loop=0x6e7760)
The code in nma_gconf_connection_new looks like this:
GError *error;
...
connection = nm_gconf_read_connection (client, conf_dir, &error);
if (connection) {
...
} else {
g_warning ("%s: (%s) error reading connection: (%d) %s",
__func__, conf_dir,
error ? error->code : -1,
error && error->message ? error->message :
"(unknown)");
g_clear_error (&error);
}
http://developer.gnome.org/glib/unstable/glib-Error-Reporting.html
says: "A GError* must be initialized to NULL before passing its
address to a function that can report errors." Thus, the bug is
in network-manager-applet, not in gconf_client_all_dirs to which
nm_gconf_read_connection passes the error pointer.
The bug was caused by a patch that was made to fix CVE-2009-4144,
included in network-manager-applet 0.7.3-beta2, and applied by Debian
as 03-CVE-2009-4144_fix_ca_cert_handling_after_cert_file_deletion.patch
in network-manager-applet 0.7.2-2:
http://git.gnome.org/browse/network-manager-applet/commit/?h=NETWORKMANAGER_APPLET_0_7&id=4020594dfbf566f1852f0acb36ad631a9e73a82b
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4144
The bug was fixed in network-manager-applet 0.7.3:
http://git.gnome.org/browse/network-manager-applet/commit/?h=NETWORKMANAGER_APPLET_0_7&id=71e294a08119f9a1023518a3803631a808bf87bd
https://bugzilla.gnome.org/show_bug.cgi?id=621401
https://bugzilla.novell.com/show_bug.cgi?id=611630
In network-manager-applet 0.7.0, 0.8.0, and 0.8.4,
nma_gconf_connection_new does not use GError at all and thus
cannot have this bug. The flawed patch was removed in Debian
network-manager-applet 0.7.999-1.
pgpGSz6hMofgz.pgp
Description: PGP signature
