[Pkg-utopia-maintainers] Bug#566625: NetworkManager applet for GNOME crashes deleting wireless connections

Thu Apr 28 19:19:53 UTC 2011

package network-manager-gnome
fixed 566625 network-manager-applet/0.7.999-1
quit

This bug seems to be caused by uninitialized GError *error in
network-manager-applet-0.7.2/src/gconf-helpers/nma-gconf-connection.c
(nma_gconf_connection_new).  nm-connection-editor did not crash
when I tested with a debug build, because the variable somehow
became NULL then; but if I set error = (GError *) 1 with GDB
after the declaration, then it crashed.  Also, valgrind shows the
bug in the debug build without GDB:

==9114== Conditional jump or move depends on uninitialised value(s)
==9114==    at 0x756CF1F: g_clear_error (gerror.c:300)
==9114==    by 0x441864: nma_gconf_connection_new (nma-gconf-connection.c:83)
==9114==    by 0x437905: connection_changes_done (nma-gconf-settings.c:317)
==9114==    by 0x757D6F1: g_main_context_dispatch (gmain.c:1960)
==9114==    by 0x7581567: g_main_context_iterate (gmain.c:2591)
==9114==    by 0x7581A74: g_main_loop_run (gmain.c:2799)
==9114==    by 0x41C0BA: main (main.c:291)

The Debian network-manager-gnome 0.7.2-2 binary likewise crashes
somewhere in g_clear_error:

#0  0x00007ffff50b2165 in *__GI_raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff50b4f70 in *__GI_abort () at abort.c:92
#2  0x00007ffff50e827b in __libc_message (do_abort=<value optimized out>, 
    fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0x00007ffff50f1ad6 in malloc_printerr (action=3, 
    str=0x7ffff51a89f0 "munmap_chunk(): invalid pointer", 
    ptr=<value optimized out>) at malloc.c:6267
#4  0x00007ffff540eee2 in IA__g_error_free (error=0x7ffff56bc170)
    at /scratch/build-area/glib2.0-2.24.2/glib/gerror.c:138
#5  0x00007ffff540ef26 in IA__g_clear_error (err=0x7fffffffe0b8)
    at /scratch/build-area/glib2.0-2.24.2/glib/gerror.c:302
#6  0x000000000043824a in nma_gconf_connection_new ()
#7  0x000000000043096d in ?? ()
#8  0x00007ffff541f6f2 in g_main_dispatch (context=0x68eae0)
    at /scratch/build-area/glib2.0-2.24.2/glib/gmain.c:1960
#9  IA__g_main_context_dispatch (context=0x68eae0)
    at /scratch/build-area/glib2.0-2.24.2/glib/gmain.c:2513
#10 0x00007ffff5423568 in g_main_context_iterate (context=0x68eae0, 
    block=<value optimized out>, dispatch=<value optimized out>, 
    self=<value optimized out>)
    at /scratch/build-area/glib2.0-2.24.2/glib/gmain.c:2591
#11 0x00007ffff5423a75 in IA__g_main_loop_run (loop=0x6e7760)

The code in nma_gconf_connection_new looks like this:

	GError *error;
...
	connection = nm_gconf_read_connection (client, conf_dir, &error);
	if (connection) {
...
	} else {
		g_warning ("%s: (%s) error reading connection: (%d) %s",
		           __func__, conf_dir,
		           error ? error->code : -1,
		           error && error->message ? error->message : "(unknown)");
		g_clear_error (&error);
	}

http://developer.gnome.org/glib/unstable/glib-Error-Reporting.html
says: "A GError* must be initialized to NULL before passing its
address to a function that can report errors."  Thus, the bug is
in network-manager-applet, not in gconf_client_all_dirs to which
nm_gconf_read_connection passes the error pointer.

The bug was caused by a patch that was made to fix CVE-2009-4144,
included in network-manager-applet 0.7.3-beta2, and applied by Debian
as 03-CVE-2009-4144_fix_ca_cert_handling_after_cert_file_deletion.patch
in network-manager-applet 0.7.2-2:
http://git.gnome.org/browse/network-manager-applet/commit/?h=NETWORKMANAGER_APPLET_0_7&id=4020594dfbf566f1852f0acb36ad631a9e73a82b
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4144

The bug was fixed in network-manager-applet 0.7.3:
http://git.gnome.org/browse/network-manager-applet/commit/?h=NETWORKMANAGER_APPLET_0_7&id=71e294a08119f9a1023518a3803631a808bf87bd
https://bugzilla.gnome.org/show_bug.cgi?id=621401
https://bugzilla.novell.com/show_bug.cgi?id=611630

In network-manager-applet 0.7.0, 0.8.0, and 0.8.4,
nma_gconf_connection_new does not use GError at all and thus
cannot have this bug.  The flawed patch was removed in Debian
network-manager-applet 0.7.999-1.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20110428/08953ddc/attachment-0001.pgp>