Bug 1464684
| Summary: | Null pointer dereference vulnerability in _nc_save_str function of ncurses tool with latest verison(6.0) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | ncurses | Assignee: | Miroslav Lichvar <mlichvar> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | dickey, jkejda | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-08-02 12:36:38 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Severity medium (fix will appear in the weekly updates). As this issue seems to have a very low impact, it's currently not planned to be fixed in RHEL 7. |
Created attachment 1291504 [details] Triggered by "captoinfo POC1" Description of problem: As ncurses/tinfo/comp_scan.c made lexical scanning,the nc_curr_token.tk_valstring(line:400) was initialized to Null by crafted input. It led to denial of service(crash) when the variable was transferred to _nc_save_str function as Null pointer. Version-Release number of selected component (if applicable): How reproducible: captoinfo $POC Steps to Reproduce: $gdb captoinfo … (gdb) set args $POC (gdb) r … (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x0000000000446c1a in _nc_save_str (string=0x0) at ../ncurses/./tinfo/alloc_entry.c:99 #2 0x0000000000437037 in _nc_parse_entry (entryp=0x7fffffffaf98, literal=0, silent=false) at ../ncurses/./tinfo/parse_entry.c:463 #3 0x0000000000431183 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=false, hook=0x0) at ../ncurses/./tinfo/comp_parse.c:227 #4 0x0000000000402c57 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:929 Actual results: crash Expected results: crash Additional info: