Bug 1464692
| Summary: | There was a stack overflow caused by format string vulnerability in fmt_entry function of ncurses tool with latest verison(6.0). Crafted input could lead to arbitrary code execution. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | ncurses | Assignee: | Miroslav Lichvar <mlichvar> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | dickey | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-06-29 07:58:20 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This appears to be a duplicate, because once POC1-POC3 are addressed this is no longer reproducible. *** This bug has been marked as a duplicate of bug 1464687 *** |
Created attachment 1291519 [details] Triggered by "infotocp POC6" Description of problem: In the fmt_entry function line 835, the sprintf function was called for copy some values related to input for the buffer that exceeding the length of MAX_TERMINFO_LENGTH + EXTRA_CAP bytes. The buffer out of bound written led to the return address of fmt_entry function was covered. Version-Release number of selected component (if applicable): <=6.0 How reproducible: infotocap $POC Steps to Reproduce: 1. gdb infotocap 2. set breakpoint for fmt_entry return address before calling sprintf and after calling sprintf 3. check the ret address be covered Actual results: the fmt_entry ret address be covered crash Expected results: the fmt_entry ret address be covered crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.