Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180919192018.GA6402@openwall.com>
Date: Wed, 19 Sep 2018 21:20:18 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: tdesktop 1.3.14: index out of range

Hi,

I'm posting this primarily to clarify why something as wrong-looking as
this report got through moderation, and secondarily to ask that postings
to oss-security should clearly describe security impact rather than
leave people (even moderators) guessing why they're seeing this in here.

On Wed, Sep 19, 2018 at 11:47:00PM +0530, Dhiraj Mishra wrote:
> Affected Product: tdesktop-1.3.14 tested on Ubuntu 18.04 LTS x64
> 
> *Steps to reproduce:*
> 1. Open Telegram
> 2. Launch theme editor
> 3. Save the file in some location
> 4. The tdesktop then open "Edit color palette"
> 5. Type "Hello World" in search <press enter>
> 6. The tdesktop gets crash
> 
> Crashes, ASSERT failure in QVector<T>::operator[]: "index out of range",
> file /usr/local/tdesktop/Qt-5.6.2/include/QtCore/qvector.h, line 431
> Aborted (core dumped)

FWIW, this doesn't look like a security issue to me, but I'm not
familiar with tdesktop and don't consider it list moderators' job to
distinguish security from non-security issues except in even more
obvious cases.  In this case, I'm just 99% sure it's non-security.

Maybe someone will see a way to make this cross a privilege boundary,
which the above example doesn't appear to do.  Even with distribution of
a malicious theme file (just guessing here as the example above is
unclear on what file is involved nor on what exactly causes the crash)
from one user to others, this doesn't appear to be a security issue as
the impact would have been a mere crash (since the out of range index is
properly detected), which looks irrelevant as a security attack in that
scenario.

For this to be a security issue, a privilege boundary would need to be
crossed _and_ either the impact needs to be worse than a mere crash or
the attack would need to be performed without target user's interaction.

If someone finds a way to _avoid_ the detected "index out of range"
condition yet have the program misbehave differently, that will be more
valuable as a potential attack.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.