Bug 84129

Summary: Crash in on certain escape sequences
Product: [Retired] Red Hat Linux Reporter: Pavel Roskin <plroskin>
Component: minicomAssignee: Eido Inoue <havill>
Status: CLOSED RAWHIDE QA Contact: Brock Organ <borgan>
Severity: high Docs Contact:
Priority: medium    
Version: 8.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.00.0-15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-08-20 21:13:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient. none

Description Pavel Roskin 2003-02-12 16:25:35 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207
Phoenix/0.5

Description of problem:
If I run "TERM=xterm mc" in minicom (mc is GNU Midnight Commander 4.6.0)
minicom crashes when mc exits.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run minicom
2. Login to a remote system, make sure is has mc-4.6.0 installed.
3. Run "TERM=xterm mc"
4. Consequtively Press Escape 0 Enter.


Actual Results:  minicom crashes

Expected Results:  the command prompt reappears in the minicom window

Additional info:

I haven't tried to reduce this to a minimal case, because the reason of the
crash is pretty clear from debugging.

When minicom starts, vt_trans is initialized, but savetrans is not (it
contains zeroes because it's static).  Then some escape sequence comes and
vt_trans is restored from savetrans (although it was never saved there). Using
vt_trans after that causes access to memory just above NULL.

There are two fixes - initialize savetrans with the same values as
vt_trans or check if vt_trans[charset] is NULL.  This patch has both, but only
one part is required.

I don't think this bug can be exploited to expose data or execute
commands.  However, it is possible to use it for a denial of service
attack if the attacker can affect the text displayed to other users at
startup (not likely).

I contacted the maintainer (Jukka Lahtinen <walker>) and the mailing
list minicom-devel.com.br.  The e-mail to the maintainer
bounced. There was no reply from the mailing list.
Comment 1 Pavel Roskin 2003-02-12 16:28:37 UTC 
Created attachment 90033 [details]
Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient.
Comment 2 Eido Inoue 2003-08-20 21:13:29 UTC 
Thanks for the patch. Incorporated in release 15 in rawhide