0008979: Plaso worker segfaults when using libolecf-python dependency to read binary file - Kali Linux Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0008979	Kali Linux	Kali Package Bug	public	2024-10-30 19:08	2024-11-06 13:28

Reporter	s-vx	Assigned To	sbrun
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	assigned	Resolution	open

Summary	0008979: Plaso worker segfaults when using libolecf-python dependency to read binary file
Description	System is a fresh install of Kali Rolling 2024.3 with only plaso package installed `┌──(kali㉿host)-[~] └─$ uname -a Linux host 6.11.2-amd64 0000001 SMP PREEMPT_DYNAMIC Kali 6.11.2-1kali1 (2024-10-15) x86_64 GNU/Linux` Involved dependencies: ┌──(kali㉿host)-[~] └─$ dpkg -l python3-libolecf python3-xlsxwriter python3-plaso Desired=Unknown/Install/Remove/Purge/Hold \| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend \|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) \|\|/ Name Version Architecture Description +++-======================-===============-============-============================================================= ii python3-libolecf:amd64 20181231-2.1+b2 amd64 OLE2 Compound File format access library -- Python 3 bindings ii python3-plaso 20240409-0kali1 all super timeline all the things -- Python 3 ii python3-xlsxwriter 3.1.9-1 all Python 3 module for creating Excel XLSX files To reproduce this issue we will use plaso to process file `/usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin` which will segfault the plaso worker. ┌──(kali㉿host)-[~] └─$ psteal --no-dependencies-check --single-process --source /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin -w vbaProject.bin.csv --debug 2024-10-30 17:48:12,761 [INFO] (MainProcess) PID:5977 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts WARNING: the version of plaso you are using is more than 6 months old. We strongly recommend to update it. Source path : /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin Source type : single file Processing time : 00:00:00 Processing started. plaso - psteal version 20240409 Source path : /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin Source type : single file Processing time : 00:00:00 Identifier PID Status Memory Sources Event Data File Main 5977 running 117.9 MiB 0 (0) 0 (0) zsh: segmentation fault psteal --no-dependencies-check --single-process --source -w --debug We observe the following error message in the journal log `┌──(root㉿host)-[~] └─# journalctl -n 2 Oct 30 14:59:23 host kernel: psteal[5291]: segfault at 10 ip 000000000058213b sp 00007ffe2f938d20 error 4 in python3.12[18213b,420000+2df000] likely on CPU 0 > Oct 30 14:59:23 host kernel: Code: 0f 85 43 01 00 00 48 85 ff 0f 84 39 01 00 00 55 53 48 83 ec 08 48 c7 c0 f8 ff ff ff 48 8b 1d 3c 22 5c 00 64 48 8b 00 48 89` Plaso generated log file indicate this error might have occurred as the olecf parser was in use ┌──(root㉿host)-[~] └─# zcat psteal-20241030T185922.log.gz \| tail -n 4 gzip: psteal-20241030T185922.log.gz: unexpected end of file 2024-10-30 18:59:23,244 [DEBUG] (MainProcess) PID:5291 <extractors> [ParseFileEntryWithParsers] parsing file: OS:/usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin with parser: olecf 2024-10-30 18:59:23,244 [DEBUG] (MainProcess) PID:5291 <olecf> Skipped parsing file: OS:/usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin with plugin: olecf_automatic_destinations 2024-10-30 18:59:23,244 [DEBUG] (MainProcess) PID:5291 <olecf> Skipped parsing file: OS:/usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin with plugin: olecf_document_summary 2024-10-30 18:59:23,244 [DEBUG] (MainProcess) PID:5291 <olecf> Skipped parsing file: OS:/usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin with plugin: olecf_summary We We determined that installing python package version 20231203 ensured the worker wouldn't segfault against this file. We installed python package version from 20181231 to 20231203 to discover that the worker segfault would not occur at on the 2023 version. Therefore, a temporary fix was as follow: `sudo dpkg -r --force-depends "python3-libolecf" sudo pip uninstall --break-system-packages libolecf-python sudo pip install --break-system-packages -U libolecf-python==20231203` Where after running the above commands it was possible to run the initial command without segfaults as displayed below: ┌──(root㉿host)-[/cases] └─# psteal --no-dependencies-check --single-process --source /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin -w vbaProject.bin.csv --debug 2024-10-30 18:45:15,230 [INFO] (MainProcess) PID:103810 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts WARNING: the version of plaso you are using is more than 6 months old. We strongly recommend to update it. Source path : /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin Source type : single file Processing time : 00:00:00 Processing started. plaso - psteal version 20240409 Source path : /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin Source type : single file Processing time : 00:00:01 Identifier PID Status Memory Sources Events File Main 103810 completed 118.2 MiB 1 (1) 6 (6) OS:/usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin Processing completed. plaso - psteal version 20240409 Storage file : 20241030T184515-vbaProject.bin.plaso Processing time : 00:00:00 Events: Filtered In time slice Duplicates MACB grouped Total 0 0 0 6 6 Identifier PID Status Memory Events Tags Reports Main 103810 completed 118.2 MiB 6 (0) 0 (0) 0 (0) Processing completed. Storage file is: 20241030T184515-vbaProject.bin.plaso ┌──(root㉿host)-[/cases] └─# Would it be possible to update this package dependency to avoid this issue? Thanks in advance for your support Best Regards

Date Modified	Username	Field	Change
2024-10-30 19:08	s-vx	New Issue
2024-10-30 21:56	kali-bugreport	Note Added: 0019992
2024-11-06 13:28	sbrun	Assigned To	=> sbrun
2024-11-06 13:28	sbrun	Status	new => assigned