View Issue Details

IDProjectCategoryView StatusLast Update
0008979Kali LinuxKali Package Bugpublic2024-11-25 14:56
Reporters-vx Assigned Tosbrun  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Fixed in Version2024.4 
Summary0008979: Plaso worker segfaults when using libolecf-python dependency to read binary file
Description

System is a fresh install of Kali Rolling 2024.3 with only plaso package installed

┌──(kali㉿host)-[~]
└─$ uname -a 
Linux host 6.11.2-amd64 0000001 SMP PREEMPT_DYNAMIC Kali 6.11.2-1kali1 (2024-10-15) x86_64 GNU/Linux

Involved dependencies:

┌──(kali㉿host)-[~]
└─$ dpkg -l python3-libolecf python3-xlsxwriter python3-plaso                
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                   Version         Architecture Description
+++-======================-===============-============-=============================================================
ii  python3-libolecf:amd64 20181231-2.1+b2 amd64        OLE2 Compound File format access library -- Python 3 bindings
ii  python3-plaso          20240409-0kali1 all          super timeline all the things -- Python 3
ii  python3-xlsxwriter     3.1.9-1         all          Python 3 module for creating Excel XLSX files

To reproduce this issue we will use plaso to process file /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin which will segfault the plaso worker.

┌──(kali㉿host)-[~]
└─$ psteal --no-dependencies-check --single-process --source /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin -w vbaProject.bin.csv --debug 
2024-10-30 17:48:12,761 [INFO] (MainProcess) PID:5977 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
WARNING: the version of plaso you are using is more than 6 months old. We
strongly recommend to update it.

Source path     : /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin
Source type     : single file
Processing time     : 00:00:00

Processing started.

plaso - psteal version 20240409

Source path     : /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin
Source type     : single file
Processing time     : 00:00:00

Identifier      PID     Status          Memory          Sources         Event Data      File
Main            5977    running         117.9 MiB       0 (0)           0 (0)           

zsh: segmentation fault  psteal --no-dependencies-check --single-process --source  -w  --debug

We observe the following error message in the journal log

┌──(root㉿host)-[~]
└─# journalctl -n 2
Oct 30 14:59:23 host kernel: psteal[5291]: segfault at 10 ip 000000000058213b sp 00007ffe2f938d20 error 4 in python3.12[18213b,420000+2df000] likely on CPU 0 >
Oct 30 14:59:23 host kernel: Code: 0f 85 43 01 00 00 48 85 ff 0f 84 39 01 00 00 55 53 48 83 ec 08 48 c7 c0 f8 ff ff ff 48 8b 1d 3c 22 5c 00 64 48 8b 00 48 89

Plaso generated log file indicate this error might have occurred as the olecf parser was in use

┌──(root㉿host)-[~]
└─# zcat psteal-20241030T185922.log.gz | tail -n 4

gzip: psteal-20241030T185922.log.gz: unexpected end of file
2024-10-30 18:59:23,244 [DEBUG] (MainProcess) PID:5291 <extractors> [ParseFileEntryWithParsers] parsing file: OS:/usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin with parser: olecf
2024-10-30 18:59:23,244 [DEBUG] (MainProcess) PID:5291 <olecf> Skipped parsing file: OS:/usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin with plugin: olecf_automatic_destinations
2024-10-30 18:59:23,244 [DEBUG] (MainProcess) PID:5291 <olecf> Skipped parsing file: OS:/usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin with plugin: olecf_document_summary
2024-10-30 18:59:23,244 [DEBUG] (MainProcess) PID:5291 <olecf> Skipped parsing file: OS:/usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin with plugin: olecf_summary

We
We determined that installing python package version 20231203 ensured the worker wouldn't segfault against this file.
We installed python package version from 20181231 to 20231203 to discover that the worker segfault would not occur at on the 2023 version.

Therefore, a temporary fix was as follow:

sudo dpkg -r --force-depends "python3-libolecf"
sudo pip uninstall --break-system-packages libolecf-python
sudo pip install --break-system-packages -U libolecf-python==20231203

Where after running the above commands it was possible to run the initial command without segfaults as displayed below:

┌──(root㉿host)-[/cases]
└─# psteal --no-dependencies-check --single-process --source /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin -w vbaProject.bin.csv --debug
2024-10-30 18:45:15,230 [INFO] (MainProcess) PID:103810 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
WARNING: the version of plaso you are using is more than 6 months old. We
strongly recommend to update it.

Source path     : /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin
Source type     : single file
Processing time     : 00:00:00

Processing started.

plaso - psteal version 20240409

Source path     : /usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin
Source type     : single file
Processing time     : 00:00:01

Identifier      PID     Status          Memory          Sources         Events          File
Main            103810  completed       118.2 MiB       1 (1)           6 (6)           OS:/usr/share/doc/python3-xlsxwriter/examples/vbaProject.bin

Processing completed.

plaso - psteal version 20240409

Storage file        : 20241030T184515-vbaProject.bin.plaso
Processing time     : 00:00:00

Events:         Filtered        In time slice   Duplicates      MACB grouped    Total
                0               0               0               6               6

Identifier              PID     Status          Memory          Events          Tags            Reports
Main                    103810  completed       118.2 MiB       6 (0)           0 (0)           0 (0)

Processing completed.
Storage file is: 20241030T184515-vbaProject.bin.plaso

┌──(root㉿host)-[/cases]
└─# 

Would it be possible to update this package dependency to avoid this issue?


Thanks in advance for your support
Best Regards

Activities

kali-bugreport

kali-bugreport

2024-10-30 21:56

reporter   ~0019992

Seems like a package directly imported from Debian:

https://packages.debian.org/search?keywords=python3-libolecf

so could require an update request in https://bugs.debian.org/python3-libolecf

sbrun

sbrun

2024-11-25 14:56

manager   ~0020076

We have update python3-libolecf. It will be available in few hours in kali-rolling

Issue History

Date Modified Username Field Change
2024-10-30 19:08 s-vx New Issue
2024-10-30 21:56 kali-bugreport Note Added: 0019992
2024-11-06 13:28 sbrun Assigned To => sbrun
2024-11-06 13:28 sbrun Status new => assigned
2024-11-25 14:56 sbrun Note Added: 0020076
2024-11-25 14:56 sbrun Status assigned => resolved
2024-11-25 14:56 sbrun Resolution open => fixed
2024-11-25 14:56 sbrun Fixed in Version => 2024.4