Telegram Desktop (aka tdesktop) 1.3.14 might allow attackers to cause a
denial of service (assertion failure and application exit) via an "Edit
color palette" search that triggers an "index out of range" condition.
NOTE: this issue is disputed by multiple third parties because the
described attack scenario does not cross a privilege boundary.
*Steps to reproduce:*
1. Open Telegram
2. Launch theme editor
3. Save the file in some location
4. The tdesktop then open "Edit color palette"
5. Type "Hello World" in search <press enter>
6. The tdesktop gets crash
Crashes, ASSERT failure in QVector<T>::operator[]: "index out of range",
file /usr/local/tdesktop/Qt-5.6.2/include/QtCore/qvector.h, line 431
Aborted (core dumped)
*Backtrace:*
$ gdb ./Telegram
GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./Telegram...(no debugging symbols found)...done.
(gdb) r
Starting program: /home/input0/Desktop/Telegram/Telegram
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff40e5700 (LWP 8743)]
[New Thread 0x7ffff32ca700 (LWP 8744)]
[New Thread 0x7ffff2ac9700 (LWP 8746)]
[New Thread 0x7ffff19fa700 (LWP 8747)]
[New Thread 0x7ffff11f9700 (LWP 8748)]
[Thread 0x7ffff19fa700 (LWP 8747) exited]
[New Thread 0x7ffff19fa700 (LWP 8749)]
[New Thread 0x7fffd4da1700 (LWP 8750)]
[New Thread 0x7fffcb25c700 (LWP 8751)]
[Thread 0x7fffcb25c700 (LWP 8751) exited]
[New Thread 0x7fffcb25c700 (LWP 8752)]
[New Thread 0x7fffcb25c700 (LWP 8753)]
[Thread 0x7fffcb25c700 (LWP 8752) exited]
[New Thread 0x7fffcaa5b700 (LWP 8754)]
[New Thread 0x7fffca25a700 (LWP 8755)]
[New Thread 0x7fffc9a59700 (LWP 8756)]
[Thread 0x7fffc9a59700 (LWP 8756) exited]
(Telegram:8739): libappindicator-CRITICAL **: 13:18:28.549:
app_indicator_set_icon_full: assertion 'IS_APP_INDICATOR (self)' failed
[New Thread 0x7fffc9a59700 (LWP 8757)]
[New Thread 0x7fffc9258700 (LWP 8758)]
[New Thread 0x7fffc8a57700 (LWP 8759)]
[New Thread 0x7fffb3fff700 (LWP 8760)]
[New Thread 0x7fffb37fe700 (LWP 8761)]
[Thread 0x7fffb3fff700 (LWP 8760) exited]
[New Thread 0x7fffb3fff700 (LWP 8762)]
[New Thread 0x7fffb2ffd700 (LWP 8763)]
[Thread 0x7fffb37fe700 (LWP 8761) exited]
[Thread 0x7fffc9258700 (LWP 8758) exited]
[Thread 0x7fffc8a57700 (LWP 8759) exited]
[New Thread 0x7fffc8a57700 (LWP 8764)]
[New Thread 0x7fffc9258700 (LWP 8765)]
[New Thread 0x7fffb37fe700 (LWP 8766)]
[Thread 0x7fffc9258700 (LWP 8765) exited]
[Thread 0x7fffb37fe700 (LWP 8766) exited]
[Thread 0x7fffc8a57700 (LWP 8764) exited]
[New Thread 0x7fffc8a57700 (LWP 8767)]
[Thread 0x7fffb3fff700 (LWP 8762) exited]
[Thread 0x7fffc8a57700 (LWP 8767) exited]
[New Thread 0x7fffc8a57700 (LWP 8769)]
[New Thread 0x7fffb3fff700 (LWP 8770)]
Gtk-Message: 13:18:41.228: GtkDialog mapped without a transient parent.
This is discouraged.
[New Thread 0x7fffb37fe700 (LWP 8772)]
[Thread 0x7fffc8a57700 (LWP 8769) exited]
[Thread 0x7fffb2ffd700 (LWP 8763) exited]
ASSERT failure in QVector<T>::operator[]: "index out of range", file
/usr/local/tdesktop/Qt-5.6.2/include/QtCore/qvector.h, line 431
Thread 1 "Telegram" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff5f7ae97 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff5f7c801 in __GI_abort () at abort.c:79
#2 0x00000000022944a1 in ()
#3 0x0000000003c183a0 in ()
#4 0x0000003000000030 in ()
#5 0x00007fffffffcdc0 in ()
#6 0x00007fffffffcd00 in ()
#7 0x000000000000006c in ()
#8 0x00007ffff74696f0 in () at /lib/x86_64-linux-gnu/libdbus-1.so.3
#9 0x000000000291c5b1 in ()
#10 0x0000000003be003d in ()
#11 0x000000000291b440 in ()
#12 0x00000000000001af in ()
#13 0x0000000000000000 in ()
(gdb)
*References:* https://www.openwall.com/lists/oss-security/2018/09/19/8
Thank you
--
Regards
*Dhiraj Mishra.*GPG ID : 51720F56 | Finger Print : 1F6A FC7B 05AA CF29
8C1C ED65 3233 4D18 5172 0F56