Discussion:
[oss-security] tdesktop 1.3.14: index out of range
Dhiraj Mishra
2018-09-19 18:17:00 UTC
Permalink
Affected Product: tdesktop-1.3.14 tested on Ubuntu 18.04 LTS x64

*Steps to reproduce:*
1. Open Telegram
2. Launch theme editor
3. Save the file in some location
4. The tdesktop then open "Edit color palette"
5. Type "Hello World" in search <press enter>
6. The tdesktop gets crash

Crashes, ASSERT failure in QVector<T>::operator[]: "index out of range",
file /usr/local/tdesktop/Qt-5.6.2/include/QtCore/qvector.h, line 431
Aborted (core dumped)

*Backtrace:*
$ gdb ./Telegram
GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./Telegram...(no debugging symbols found)...done.
(gdb) r
Starting program: /home/input0/Desktop/Telegram/Telegram
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff40e5700 (LWP 8743)]
[New Thread 0x7ffff32ca700 (LWP 8744)]
[New Thread 0x7ffff2ac9700 (LWP 8746)]
[New Thread 0x7ffff19fa700 (LWP 8747)]
[New Thread 0x7ffff11f9700 (LWP 8748)]
[Thread 0x7ffff19fa700 (LWP 8747) exited]
[New Thread 0x7ffff19fa700 (LWP 8749)]
[New Thread 0x7fffd4da1700 (LWP 8750)]
[New Thread 0x7fffcb25c700 (LWP 8751)]
[Thread 0x7fffcb25c700 (LWP 8751) exited]
[New Thread 0x7fffcb25c700 (LWP 8752)]
[New Thread 0x7fffcb25c700 (LWP 8753)]
[Thread 0x7fffcb25c700 (LWP 8752) exited]
[New Thread 0x7fffcaa5b700 (LWP 8754)]
[New Thread 0x7fffca25a700 (LWP 8755)]
[New Thread 0x7fffc9a59700 (LWP 8756)]
[Thread 0x7fffc9a59700 (LWP 8756) exited]
(Telegram:8739): libappindicator-CRITICAL **: 13:18:28.549:
app_indicator_set_icon_full: assertion 'IS_APP_INDICATOR (self)' failed
[New Thread 0x7fffc9a59700 (LWP 8757)]
[New Thread 0x7fffc9258700 (LWP 8758)]
[New Thread 0x7fffc8a57700 (LWP 8759)]
[New Thread 0x7fffb3fff700 (LWP 8760)]
[New Thread 0x7fffb37fe700 (LWP 8761)]
[Thread 0x7fffb3fff700 (LWP 8760) exited]
[New Thread 0x7fffb3fff700 (LWP 8762)]
[New Thread 0x7fffb2ffd700 (LWP 8763)]
[Thread 0x7fffb37fe700 (LWP 8761) exited]
[Thread 0x7fffc9258700 (LWP 8758) exited]
[Thread 0x7fffc8a57700 (LWP 8759) exited]
[New Thread 0x7fffc8a57700 (LWP 8764)]
[New Thread 0x7fffc9258700 (LWP 8765)]
[New Thread 0x7fffb37fe700 (LWP 8766)]
[Thread 0x7fffc9258700 (LWP 8765) exited]
[Thread 0x7fffb37fe700 (LWP 8766) exited]
[Thread 0x7fffc8a57700 (LWP 8764) exited]
[New Thread 0x7fffc8a57700 (LWP 8767)]
[Thread 0x7fffb3fff700 (LWP 8762) exited]
[Thread 0x7fffc8a57700 (LWP 8767) exited]
[New Thread 0x7fffc8a57700 (LWP 8769)]
[New Thread 0x7fffb3fff700 (LWP 8770)]
Gtk-Message: 13:18:41.228: GtkDialog mapped without a transient parent.
This is discouraged.
[New Thread 0x7fffb37fe700 (LWP 8772)]
[Thread 0x7fffc8a57700 (LWP 8769) exited]
[Thread 0x7fffb2ffd700 (LWP 8763) exited]
ASSERT failure in QVector<T>::operator[]: "index out of range", file
/usr/local/tdesktop/Qt-5.6.2/include/QtCore/qvector.h, line 431

Thread 1 "Telegram" received signal SIGABRT, Aborted.
__GI_raise (sig=***@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff5f7ae97 in __GI_raise (sig=***@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff5f7c801 in __GI_abort () at abort.c:79
#2 0x00000000022944a1 in ()
#3 0x0000000003c183a0 in ()
#4 0x0000003000000030 in ()
#5 0x00007fffffffcdc0 in ()
#6 0x00007fffffffcd00 in ()
#7 0x000000000000006c in ()
#8 0x00007ffff74696f0 in () at /lib/x86_64-linux-gnu/libdbus-1.so.3
#9 0x000000000291c5b1 in ()
#10 0x0000000003be003d in ()
#11 0x000000000291b440 in ()
#12 0x00000000000001af in ()
#13 0x0000000000000000 in ()
(gdb)

PS: No CVE is assigned yet to this issue.


Thank you
--
Regards

*Dhiraj Mishra.*GPG ID : 51720F56 | Finger Print : 1F6A FC7B 05AA CF29
8C1C ED65 3233 4D18 5172 0F56
Stuart D. Gathman
2018-09-19 19:02:28 UTC
Permalink
Post by Dhiraj Mishra
Affected Product: tdesktop-1.3.14 tested on Ubuntu 18.04 LTS x64
...
Crashes, ASSERT failure in QVector<T>::operator[]: "index out of range",
How does this affect security? Does it improve over-all security by
discouraging the use of centralized services like telegram?
--
Stuart D. Gathman <***@gathman.org>
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
Solar Designer
2018-09-19 19:20:18 UTC
Permalink
Hi,

I'm posting this primarily to clarify why something as wrong-looking as
this report got through moderation, and secondarily to ask that postings
to oss-security should clearly describe security impact rather than
leave people (even moderators) guessing why they're seeing this in here.
Post by Dhiraj Mishra
Affected Product: tdesktop-1.3.14 tested on Ubuntu 18.04 LTS x64
*Steps to reproduce:*
1. Open Telegram
2. Launch theme editor
3. Save the file in some location
4. The tdesktop then open "Edit color palette"
5. Type "Hello World" in search <press enter>
6. The tdesktop gets crash
Crashes, ASSERT failure in QVector<T>::operator[]: "index out of range",
file /usr/local/tdesktop/Qt-5.6.2/include/QtCore/qvector.h, line 431
Aborted (core dumped)
FWIW, this doesn't look like a security issue to me, but I'm not
familiar with tdesktop and don't consider it list moderators' job to
distinguish security from non-security issues except in even more
obvious cases. In this case, I'm just 99% sure it's non-security.

Maybe someone will see a way to make this cross a privilege boundary,
which the above example doesn't appear to do. Even with distribution of
a malicious theme file (just guessing here as the example above is
unclear on what file is involved nor on what exactly causes the crash)
from one user to others, this doesn't appear to be a security issue as
the impact would have been a mere crash (since the out of range index is
properly detected), which looks irrelevant as a security attack in that
scenario.

For this to be a security issue, a privilege boundary would need to be
crossed _and_ either the impact needs to be worse than a mere crash or
the attack would need to be performed without target user's interaction.

If someone finds a way to _avoid_ the detected "index out of range"
condition yet have the program misbehave differently, that will be more
valuable as a potential attack.

Alexander

Loading...