Bug 1464692

Summary: There was a stack overflow caused by format string vulnerability in fmt_entry function of ncurses tool with latest verison(6.0). Crafted input could lead to arbitrary code execution.
Product: Red Hat Enterprise Linux 7 Reporter: owl337 <v.owl337>
Component: ncursesAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: dickey
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-29 07:58:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Triggered by "infotocp POC6" none

Description owl337 2017-06-24 14:47:58 UTC
Created attachment 1291519 [details]
Triggered by  "infotocp POC6"

Description of problem:

In the fmt_entry function  line 835, the sprintf function was called for copy some values related to input for the buffer that  exceeding  the length of MAX_TERMINFO_LENGTH + EXTRA_CAP bytes. The buffer out of bound written led to the return address of fmt_entry function was covered.

Version-Release number of selected component (if applicable):

<=6.0

How reproducible:

infotocap $POC

Steps to Reproduce:
1. gdb infotocap
2. set breakpoint for fmt_entry return address before calling sprintf and after calling sprintf
3. check the ret address be covered

Actual results:

the fmt_entry  ret address be covered
crash

Expected results:

the fmt_entry  ret address be covered
crash


Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL. Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Thomas E. Dickey 2017-06-28 00:14:34 UTC
This appears to be a duplicate, because once POC1-POC3 are addressed this is no longer reproducible.

Comment 3 Miroslav Lichvar 2017-06-29 07:58:20 UTC

*** This bug has been marked as a duplicate of bug 1464687 ***