[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Status of CVE-2018-19217
|
From: |
Sylvain Beucler |
|
Subject: |
Re: Status of CVE-2018-19217 |
|
Date: |
Sat, 20 Apr 2019 19:48:08 +0200 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
Hi,
On Sat, Apr 20, 2019 at 07:43:46PM +0200, Damien Guibouret wrote:
> On 20/04/2019 18:44, Damien Guibouret wrote:
> > On 20/04/2019 10:10, Sylvain Beucler wrote:
> > > On Fri, Apr 19, 2019 at 09:38:51PM +0200, Damien Guibouret wrote:
> > > > On 19/04/2019 12:28, Sylvain Beucler wrote:
> > > > > On 16/04/2019 00:54, Thomas Dickey wrote:
> > > > > > On Mon, Apr 15, 2019 at 12:23:28PM +0200, Sylvain Beucler wrote:
> > > > > > > As part of the Debian LTS project I'm triaging active ncurses
> > > > > > > vulnerabilities.
> > > > > > >
> > > > > > > For CVE-2018-19217, it seems nobody is able to reproduce the bug:
> > > > > > > "In ncurses 6.1, there is a NULL pointer dereference at the
> > > > > > > function
> > > > > > > _nc_name_match that will lead to a denial of service attack."
> > > > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217
> > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1643753
> > > > > > >
> > > > > > > I myself couldn't find a 6.1 version that crashes on this POC.
> > > > > > > It was never properly reported to the ncurses project itself, so
> > > > > > > I'm
> > > > > > > doing that now.
> > > > > > >
> > > > > > > Do you consider this bug valid?
> > > > > > no - it was reported in the wrong place, and I was
> > > > > > unable to reproduce it.
> > > > > >
> > > > > > > If not, I can request a rejection of this CVE.
> > > > > > sounds good
> > > > > MITRE now marks it as "** DISPUTED **".
> > > > > Not much more I can do AFAIK.
> > > >
> > > > I was able to reproduce it with the 2 following versions:
> > > > ncurses 5.9.20130518
> > > > ncurses 6.0.20160213
> > > > but not with
> > > > ncurses 6.1.20190202
> > > >
> > > > The problem is in _nc_save_str. In case it cannot copy the string it
> > > > displays a warning and return NULL. Futur use of the string will lead to
> > > > some segmentation fault.
> > > > With the 2 first versions, I saw the "Too much data, some is
> > > > lost" warning
> > > > (there was a bunch of other warnings before getting the failure,
> > > > so it does
> > > > not SIGSEGV at once), not with the last one, but perhaps only because it
> > > > parses the string differently.
> > >
> > > Is this a duplicate of
> > > https://invisible-island.net/ncurses/NEWS.html#index-t20170826
> > > + allow for cancelled capabilities in _nc_save_str (Redhat #1484276).
> > > (CVE-2017-13729) or something else?
> >
> > It does not seems to be the same.
> > It fails for the same versions and not for the last one, but I did not
> > get the "Too much data, some is lost" warning, so corruption seems to be
> > somewhere else.
>
> Looking further to this one, it is completly fixed (add of check that
> strings are valid in postprocess_termcap function through using PRESENT
> macro).
Thanks!
I'm interested in the version this was introduced in, so we can
clearly mark the various distro packages as affected/not-affected.
Do you happen to know it?
Cheers!
Sylvain
- Status of CVE-2018-19217, Sylvain Beucler, 2019/04/15
- Re: Status of CVE-2018-19217, Thomas Dickey, 2019/04/15
- Re: Status of CVE-2018-19217, Sylvain Beucler, 2019/04/19
- Re: Status of CVE-2018-19217, Damien Guibouret, 2019/04/19
- Re: Status of CVE-2018-19217, Sylvain Beucler, 2019/04/20
- Re: Status of CVE-2018-19217, Damien Guibouret, 2019/04/20
- Re: Status of CVE-2018-19217, Damien Guibouret, 2019/04/20
- Re: Status of CVE-2018-19217,
Sylvain Beucler <=
- Re: Status of CVE-2018-19217, Damien Guibouret, 2019/04/21
- Re: Status of CVE-2018-19217, Sylvain Beucler, 2019/04/23