bug-ncurses
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Status of CVE-2018-19217


From: Damien Guibouret
Subject: Re: Status of CVE-2018-19217
Date: Fri, 19 Apr 2019 21:38:51 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1

Hello,

I was able to reproduce it with the 2 following versions:
ncurses 5.9.20130518
ncurses 6.0.20160213
but not with
ncurses 6.1.20190202

The problem is in _nc_save_str. In case it cannot copy the string it displays a warning and return NULL. Futur use of the string will lead to some segmentation fault. With the 2 first versions, I saw the "Too much data, some is lost" warning (there was a bunch of other warnings before getting the failure, so it does not SIGSEGV at once), not with the last one, but perhaps only because it parses the string differently.

Regards,

Damien


On 19/04/2019 12:28, Sylvain Beucler wrote:
Hi,

On 16/04/2019 00:54, Thomas Dickey wrote:
On Mon, Apr 15, 2019 at 12:23:28PM +0200, Sylvain Beucler wrote:
As part of the Debian LTS project I'm triaging active ncurses
vulnerabilities.

For CVE-2018-19217, it seems nobody is able to reproduce the bug:
"In ncurses 6.1, there is a NULL pointer dereference at the function
_nc_name_match that will lead to a denial of service attack."
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217
https://bugzilla.redhat.com/show_bug.cgi?id=1643753

I myself couldn't find a 6.1 version that crashes on this POC.
It was never properly reported to the ncurses project itself, so I'm
doing that now.

Do you consider this bug valid?
no - it was reported in the wrong place, and I was unable to reproduce it.

If not, I can request a rejection of this CVE.
sounds good
MITRE now marks it as "** DISPUTED **".
Not much more I can do AFAIK.

Thanks!
- Sylvain


_______________________________________________
Bug-ncurses mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/bug-ncurses




reply via email to

[Prev in Thread] Current Thread [Next in Thread]