After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 785979 - a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder
a denial of service (stack corruption) or possibly have unspecified other imp...
Status: RESOLVED OBSOLETE
Product: nautilus
Classification: Core
Component: File and Folder Operations
3.18.x
Other Linux
: Normal critical
: ---
Assigned To: Nautilus Maintainers
Nautilus Maintainers
Depends on:
Blocks:
 
 
Reported: 2017-08-08 01:35 UTC by YongJi OuYang
Modified: 2019-03-14 11:21 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
a crafted file folder will crash nautilus. (461.86 KB, application/zip)
2017-08-08 01:35 UTC, YongJi OuYang 		Details

Description YongJi OuYang 2017-08-08 01:35:26 UTC 
Created attachment 357167 [details]
a crafted file folder will crash nautilus.

allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder. 

*** Error in `/usr/bin/nautilus': free(): invalid next size (fast): 0x00007fffb00011e0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff343a7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7ffff344337a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff344753c]
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-bmp.so(+0x108e)[0x7fffd4fb108e]
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0(gdk_pixbuf_loader_close+0x10b)[0x7ffff520bf9b]
/usr/lib/x86_64-linux-gnu/libgnome-desktop-3.so.12(+0x11221)[0x7ffff731c221]
/usr/lib/x86_64-linux-gnu/libgnome-desktop-3.so.12(gnome_desktop_thumbnail_factory_generate_thumbnail+0x82)[0x7ffff731c792]
/usr/bin/nautilus[0x4d30a0]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7ffff37946ba]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7ffff34ca3dd]
Thread 12 "nautilus" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffd51d5700 (LWP 5171)]
0x00007ffff33f8428 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

(gdb) exploitable
Description: Possible stack corruption
Short description: PossibleStackCorruption (7/22)
Hash: e97486e3f956511dc1ed16f99d0ed884.fa19faa6d19ec29cb2352ee138c912fb
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
Other tags: HeapError (10/22), AbortSignal (20/22)
Comment 1 Ernestas Kulik 2017-08-11 11:19:11 UTC 
Not reproducible with the latest stack. Judging by the stack trace, the issue is (was) with gdk-pixbuf, anyway, since that’s what’s trying to thumbnail some of the files.
Comment 2 Marcus Meissner 2019-03-14 10:10:18 UTC 
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-

seems to indicate this is gtk2 2.10.0, right?

reporter, what were the gdk-pixbuf and gtk3 and gtk2 versions in use?
Comment 3 Marcus Meissner 2019-03-14 10:13:27 UTC 
and also , can you check which of the 1000 files you  attached is the problenmatic one?
Comment 4 Ernestas Kulik 2019-03-14 11:21:26 UTC 
(In reply to Marcus Meissner from comment #2)
> /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-
> 
> seems to indicate this is gtk2 2.10.0, right?

Nope, gdk-pixbuf is a separate thing.