Bug 1464691

Summary: Null pointer dereference vulnerability in _nc_parse_entry function of ncurses tool with latest verison(6.0)
Product: Red Hat Enterprise Linux 7 Reporter: owl337 <v.owl337>
Component: ncursesAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: dickey, jkejda
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-26 13:07:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1473310    
Description Flags
Triggered by "infotocp POC5" none

Description owl337 2017-06-24 14:42:12 UTC
Created attachment 1291518 [details]
Triggered by  "infotocp POC5"

Description of problem:

The entryp->uses[i].name was written to NULL that led to NULL point dereference in  parse_entry.c:504.

Version-Release number of selected component (if applicable):

How reproducible:

 infotocap $POC

Steps to Reproduce:

The debug information is as follows:

$gdb infotocap
(gdb) set args $POC
 (gdb) r 
(gdb) bt 
#0 __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:24
 #1 0x00000000004381dc in _nc_parse_entry (entryp=0x7fffffffaf88, literal=<optimized out>, silent=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:504
 #2 0x00000000004317d3 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=<optimized out>, hook=<optimized out>) at ../ncurses/./tinfo/comp_parse.c:227 
#3 0x0000000000402c57 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:929

Actual results:


Expected results:


Additional info:


This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL. Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Thomas E. Dickey 2017-06-28 00:29:28 UTC
Severity medium (fix will appear in the weekly updates).

Comment 3 Miroslav Lichvar 2017-07-26 13:07:44 UTC

*** This bug has been marked as a duplicate of bug 1473310 ***