Re: Status of CVE-2018-19217

[Sylvain Beucler]

Hi,

On Fri, Apr 19, 2019 at 09:38:51PM +0200, Damien Guibouret wrote:
> On 19/04/2019 12:28, Sylvain Beucler wrote:
> > On 16/04/2019 00:54, Thomas Dickey wrote:
> > > On Mon, Apr 15, 2019 at 12:23:28PM +0200, Sylvain Beucler wrote:
> > > > As part of the Debian LTS project I'm triaging active ncurses
> > > > vulnerabilities.
> > > > 
> > > > For CVE-2018-19217, it seems nobody is able to reproduce the bug:
> > > > "In ncurses 6.1, there is a NULL pointer dereference at the function
> > > > _nc_name_match that will lead to a denial of service attack."
> > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=1643753
> > > > 
> > > > I myself couldn't find a 6.1 version that crashes on this POC.
> > > > It was never properly reported to the ncurses project itself, so I'm
> > > > doing that now.
> > > > 
> > > > Do you consider this bug valid?
> > > no - it was reported in the wrong place, and I was unable to reproduce it.
> > > 
> > > > If not, I can request a rejection of this CVE.
> > > sounds good
> > MITRE now marks it as "** DISPUTED **".
> > Not much more I can do AFAIK.
> 
> I was able to reproduce it with the 2 following versions:
> ncurses 5.9.20130518
> ncurses 6.0.20160213
> but not with
> ncurses 6.1.20190202
> 
> The problem is in _nc_save_str. In case it cannot copy the string it
> displays a warning and return NULL. Futur use of the string will lead to
> some segmentation fault.
> With the 2 first versions, I saw the "Too much data, some is lost" warning
> (there was a bunch of other warnings before getting the failure, so it does
> not SIGSEGV at once), not with the last one, but perhaps only because it
> parses the string differently.

Is this a duplicate of
https://invisible-island.net/ncurses/NEWS.html#index-t20170826
  + allow for cancelled capabilities in _nc_save_str (Redhat #1484276).
(CVE-2017-13729) or something else?

Cheers!
Sylvain