Bug 1576119 (CVE-2018-10754)

Summary: CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cbuissar, daniel810736, mlichvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ncurses 6.1.20180414 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference was found in the way the _nc_parse_entry function parses terminfo data for compilation. An attacker able to provide specially crafted terminfo data could use this flaw to crash the application parsing it.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 20:03:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1576120, 1576121, 1576823    
Bug Blocks: 1576123    

Description Laura Pardo 2018-05-08 21:58:27 UTC
A flaw was found in ncurses before 6.1.20180414, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1566575

Comment 1 Laura Pardo 2018-05-08 21:58:47 UTC
Created ncurses tracking bugs for this issue:

Affects: fedora-all [bug 1576121]

Comment 3 Miroslav Lichvar 2018-05-09 12:55:33 UTC
*** Bug 1566575 has been marked as a duplicate of this bug. ***

Comment 4 Cedric Buissart 2018-05-10 08:24:40 UTC
Upstream patch can be found as part of ftp://ftp.invisible-island.net/ncurses/6.1/ncurses-6.1-20180414.patch.gz

--- ncurses-6.1-20180407+/ncurses/tinfo/parse_entry.c   2017-08-26 19:49:50.000000000 +0000
+++ ncurses-6.1-20180414/ncurses/tinfo/parse_entry.c    2018-04-14 17:41:12.000000000 +0000
@@ -543,9 +543,11 @@
         * Otherwise, look for a base entry that will already
         * have picked up defaults via translation.
         */  
-       for (i = 0; i < entryp->nuses; i++)
-           if (!strchr((char *) entryp->uses[i].name, '+'))
+       for (i = 0; i < entryp->nuses; i++) {
+           if (entryp->uses[i].name != 0
+           && !strchr(entryp->uses[i].name, '+'))
            has_base_entry = TRUE;
+       }   
        }   
 
        postprocess_termcap(&entryp->tterm, has_base_entry);