Re: Status of CVE-2018-19217

[Sylvain Beucler]

Hi,

On 21/04/2019 10:02, Damien Guibouret wrote:
> Hello,
>
> On 20/04/2019 19:48, Sylvain Beucler wrote:
>> Hi,
>>
>> On Sat, Apr 20, 2019 at 07:43:46PM +0200, Damien Guibouret wrote:
>>> On 20/04/2019 18:44, Damien Guibouret wrote:
>>>> On 20/04/2019 10:10, Sylvain Beucler wrote:
>>>>> On Fri, Apr 19, 2019 at 09:38:51PM +0200, Damien Guibouret wrote:
>>>>>> On 19/04/2019 12:28, Sylvain Beucler wrote:
>>>>>>> On 16/04/2019 00:54, Thomas Dickey wrote:
>>>>>>>> On Mon, Apr 15, 2019 at 12:23:28PM +0200, Sylvain Beucler wrote:
>>>>>>>>> As part of the Debian LTS project I'm triaging active ncurses
>>>>>>>>> vulnerabilities.
>>>>>>>>>
>>>>>>>>> For CVE-2018-19217, it seems nobody is able to reproduce the bug:
>>>>>>>>> "In ncurses 6.1, there is a NULL pointer dereference at the
>>>>>>>>> function
>>>>>>>>> _nc_name_match that will lead to a denial of service attack."
>>>>>>>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217
>>>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1643753
>>>>>>>>>
>>>>>>>>> I myself couldn't find a 6.1 version that crashes on this POC.
>>>>>>>>> It was never properly reported to the ncurses project itself,
>>>>>>>>> so I'm
>>>>>>>>> doing that now.
>>>>>>>>>
>>>>>>>>> Do you consider this bug valid?
>>>>>>>> no - it was reported in the wrong place, and I was
>>>>>>>> unable to reproduce it.
>>>>>>>>
>>>>>>>>> If not, I can request a rejection of this CVE.
>>>>>>>> sounds good
>>>>>>> MITRE now marks it as "** DISPUTED **".
>>>>>>> Not much more I can do AFAIK.
>>>>>>
>>>>>> I was able to reproduce it with the 2 following versions:
>>>>>> ncurses 5.9.20130518
>>>>>> ncurses 6.0.20160213
>>>>>> but not with
>>>>>> ncurses 6.1.20190202
>>>>>>
>>>>>> The problem is in _nc_save_str. In case it cannot copy the string it
>>>>>> displays a warning and return NULL. Futur use of the string will
>>>>>> lead to
>>>>>> some segmentation fault.
>>>>>> With the 2 first versions, I saw the "Too much data, some is
>>>>>> lost" warning
>>>>>> (there was a bunch of other warnings before getting the failure,
>>>>>> so it does
>>>>>> not SIGSEGV at once), not with the last one, but perhaps only
>>>>>> because it
>>>>>> parses the string differently.
>>>>>
>>>>> Is this a duplicate of
>>>>> https://invisible-island.net/ncurses/NEWS.html#index-t20170826
>>>>>     + allow for cancelled capabilities in _nc_save_str (Redhat
>>>>> #1484276).
>>>>> (CVE-2017-13729) or something else?
>>>>
>>>> It does not seems to be the same.
>>>> It fails for the same versions and not for the last one, but I did not
>>>> get the "Too much data, some is lost" warning, so corruption seems
>>>> to be
>>>> somewhere else.
>>>
>>> Looking further to this one, it is completly fixed (add of check that
>>> strings are valid in postprocess_termcap function through using PRESENT
>>> macro).
>>
>> Thanks!
>>
>> I'm interested in the version this was introduced in, so we can
>> clearly mark the various distro packages as affected/not-affected.
>> Do you happen to know it?
>
> I've checked some more on first one.
> It is fixed as well with adding of checks in _nc_parse_entry.
>
> They are both fixed by the CVE you spotted, even if it is at two
> different locations (ncurses 6.0 - patch 20170826).
> Looking at the changelog, all the corrections regarding "check for
> cancelled strings/invalid strings" covers these issues and certainly
> some other, so there are handled in several Redhat bug reports.


To recap, after a few more tests:

CVE-2018-19217: fixed in 6.0.20170701
CVE-2017-13729: fixed in 6.0.20170826

Cheers!
Sylvain