Bug 1766617 (CVE-2019-17595)

Summary: CVE-2019-17595 ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mbenatto, mlichvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 09:55:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1766618, 1785703, 1785704    
Bug Blocks: 1766620    

Description Guilherme de Almeida Suckevicz 2019-10-29 14:03:49 UTC 
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.

Reference:
https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html
Comment 1 Guilherme de Almeida Suckevicz 2019-10-29 14:04:05 UTC 
Created ncurses tracking bugs for this issue:

Affects: fedora-all [bug 1766618]
Comment 3 Marco Benatto 2019-12-20 15:05:12 UTC 
Upstream commit for this issue:

https://github.com/mirror/ncurses/commit/b025434573f466efe27862656a6a9d41dd2bd609

 ncurses 6.1 - patch 20191012

+ amend recent changes to ncurses*-config and pc-files to filter out
  Debian linker-flags (report by Sven Joachim, cf: 20150516).
+ clarify relationship between tic, infocmp and captoinfo in manpage.
+ check for invalid hashcode in _nc_find_type_entry and
  _nc_find_name_entry.
> fix several errata in tic (reports/testcases by "zjuchenyuan"):
+ check for invalid hashcode in _nc_find_entry.
+ check for missing character after backslash in fmt_entry
+ check for acsc with odd length in dump_entry in check for one-one
  mapping (cf: 20060415);
+ check length when converting from old AIX box_chars_1 capability,
  overlooked in changes to eliminate strcpy (cf: 20001007).
+ amend the ncurses*-config and pc-files to take into account the rpath
Comment 7 Marco Benatto 2019-12-20 18:55:03 UTC 
There's an issue with ncurses library when using infotocap tool to read and dump terminal capabilities from terminfo files. A termeinfo file is a database which described terminal capabilities and screen operations used by several screen-oriented programs. When dumping terminfo data, infotocap parses the input file but misses to check NULL byte terminators on some scenarios leading to a heap-based buffer overflow by reading extra bytes beyond the allocated buffer. An attack may leverage this by crafting a special terminfo input file leading the application to crash, thus causing DoS, to dump extra bytes from heap causing a low confidentiality impact.
Comment 16 errata-xmlrpc 2021-11-09 18:44:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4426 https://access.redhat.com/errata/RHSA-2021:4426