Created attachment 121975 [details] ASan output Hello, a crafted .desktop file is able to cause an heap-based buffer overflow. You can see it if you compile with address sanitizer. I'm attaching the asan output and the crafted file.
Created attachment 121976 [details] crafted file
I'm reporting the issue as-is. Feel free to get in touch with your security team and/or mitre if you think it can be considered a security issue and it needs to have a CVE assigned.
Thank you. I'm looking into a fix for this.
Created attachment 122020 [details] [review] 0001-validate-Fix-buffer-over-read-on-incomplete-escape-s.patch Fix; verified with valgrind and pushed to master.
Feel free to correct me, but I doubt this bug warrants a CVE ID. It's a buffer over-read, and out-of-bounds data is not copied into another buffer or returned via pointer. The control flow is not affected beyond skipping over the '\0' and reading up to the first unescaped '\0' or until a memory access violation occurs. Furthermore, I'm not aware of situations where even a valid .desktop file from an untrusted source would be safe to use. If you were crafting a malicious file, you could put something much more exciting in the Exec=... field. The extent of the vulnerability from a crafted file seems to be: - Make desktop-file-validate crash. - Make desktop-file-install crash. - If it doesn't crash, a value terminating in an invalid escape sequence ("\\\0") could pass validation. This is obviously still bad, so I'll make a release shortly with the fix.
*** Bug 90784 has been marked as a duplicate of this bug. ***
Fixed in desktop-file-utils 0.23, which was just released. Thanks!
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.