Bug 1766745 (CVE-2019-17594)
| Summary: | CVE-2019-17594 ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | mbenatto, mlichvar, sonu.khan |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-25 22:11:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1766746, 1786351, 1786352 | ||
| Bug Blocks: | 1766748 | ||
|
Description
Guilherme de Almeida Suckevicz
2019-10-29 19:26:14 UTC
Created ncurses tracking bugs for this issue: Affects: fedora-all [bug 1766746] Upstream patch for this issue: https://github.com/mirror/ncurses/commit/b025434573f466efe27862656a6a9d41dd2bd609 commit b025434573f466efe27862656a6a9d41dd2bd609 Author: Thomas E. Dickey <dickey> Date: Sun Oct 13 01:25:51 2019 +0000 ncurses 6.1 - patch 20191012 + amend recent changes to ncurses*-config and pc-files to filter out Debian linker-flags (report by Sven Joachim, cf: 20150516). + clarify relationship between tic, infocmp and captoinfo in manpage. + check for invalid hashcode in _nc_find_type_entry and _nc_find_name_entry. > fix several errata in tic (reports/testcases by "zjuchenyuan"): + check for invalid hashcode in _nc_find_entry. + check for missing character after backslash in fmt_entry + check for acsc with odd length in dump_entry in check for one-one mapping (cf: 20060415); + check length when converting from old AIX box_chars_1 capability, overlooked in changes to eliminate strcpy (cf: 20001007). + amend the ncurses*-config and pc-files to take into account the rpath There's an issue with ncurses when parsing terminal capabilities information files (terminfo files). The capabilities names are kept in a hash table, during the parsing ncurses try to match names found at the terminfo file with those hashed entries from its internal tables in function _nc_find_entry(). However some strings may cause the hash algorithm to overflow and generate invalid hash tags which are further used to walk over the related hash table returning invalid data, which will be further used to retrieve data from captables residing into process's heap. An attacker may take advantage of this weakness by crafting a terminfo file which may trigger the bug, resulting in low confidentiality, low integrity and low availability impact as depicted bellow: Low confidentiality: The heap overflow causes out-of-bounds read which may expose some chunks of data contained on the task's heap; Low integrity: Eventually the overflow could result in memory corruption of some bytes contained on the heap; Low availability: The overflow may cause invalid memory access leading to segmentation fault causing DoS, however only the single run for this single user will be affected. Hi Marco, Is there any steps to reproduce this issue or for mitigation? In reply to comment #9: > Hi Marco, > > Is there any steps to reproduce this issue or for mitigation? Hello, Sorry about the delay. Unfortunately the only possible mitigation for this issue is avoiding to manipulate terminfo files from untrusted sources. thanks, This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4426 https://access.redhat.com/errata/RHSA-2021:4426 |