bug-ncurses
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Status of CVE-2018-19217


From: Damien Guibouret
Subject: Re: Status of CVE-2018-19217
Date: Sat, 20 Apr 2019 19:43:46 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1



On 20/04/2019 18:44, Damien Guibouret wrote:
Hello,

On 20/04/2019 10:10, Sylvain Beucler wrote:
Hi,

On Fri, Apr 19, 2019 at 09:38:51PM +0200, Damien Guibouret wrote:
On 19/04/2019 12:28, Sylvain Beucler wrote:
On 16/04/2019 00:54, Thomas Dickey wrote:
On Mon, Apr 15, 2019 at 12:23:28PM +0200, Sylvain Beucler wrote:
As part of the Debian LTS project I'm triaging active ncurses
vulnerabilities.

For CVE-2018-19217, it seems nobody is able to reproduce the bug:
"In ncurses 6.1, there is a NULL pointer dereference at the function
_nc_name_match that will lead to a denial of service attack."
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217
https://bugzilla.redhat.com/show_bug.cgi?id=1643753

I myself couldn't find a 6.1 version that crashes on this POC.
It was never properly reported to the ncurses project itself, so I'm
doing that now.

Do you consider this bug valid?
no - it was reported in the wrong place, and I was unable to reproduce it.

If not, I can request a rejection of this CVE.
sounds good
MITRE now marks it as "** DISPUTED **".
Not much more I can do AFAIK.

I was able to reproduce it with the 2 following versions:
ncurses 5.9.20130518
ncurses 6.0.20160213
but not with
ncurses 6.1.20190202

The problem is in _nc_save_str. In case it cannot copy the string it
displays a warning and return NULL. Futur use of the string will lead to
some segmentation fault.
With the 2 first versions, I saw the "Too much data, some is lost" warning (there was a bunch of other warnings before getting the failure, so it does
not SIGSEGV at once), not with the last one, but perhaps only because it
parses the string differently.

Is this a duplicate of
https://invisible-island.net/ncurses/NEWS.html#index-t20170826
   + allow for cancelled capabilities in _nc_save_str (Redhat #1484276).
(CVE-2017-13729) or something else?

Cheers!
Sylvain


It does not seems to be the same.
It fails for the same versions and not for the last one, but I did not get the "Too much data, some is lost" warning, so corruption seems to be somewhere else.

Regards,

Damien

Looking further to this one, it is completly fixed (add of check that strings are valid in postprocess_termcap function through using PRESENT macro).

Regards,

Damien



reply via email to

[Prev in Thread] Current Thread [Next in Thread]