Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1464684 - Null pointer dereference vulnerability in _nc_save_str function of ncurses tool with latest verison(6.0)
Null pointer dereference vulnerability in _nc_save_str function of ncurses to...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses (Show other bugs)
7.5-Alt
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Miroslav Lichvar
BaseOS QE - Apps
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-24 10:17 EDT by owl337
Modified: 2017-08-02 08:36 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-02 08:36:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "captoinfo POC1" (89 bytes, application/x-rar)
2017-06-24 10:17 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-06-24 10:17:07 EDT
Created attachment 1291504 [details]
Triggered by  "captoinfo POC1"

Description of problem:

As ncurses/tinfo/comp_scan.c made lexical scanning,the nc_curr_token.tk_valstring(line:400) was initialized to Null by crafted input. It  led to  denial of service(crash) when the variable was transferred to _nc_save_str function as Null pointer. 

Version-Release number of selected component (if applicable):


How reproducible:

captoinfo $POC

Steps to Reproduce:

$gdb captoinfo
…
(gdb) set args $POC
(gdb) r
…
(gdb) bt
 #0 strlen () at ../sysdeps/x86_64/strlen.S:106 
#1 0x0000000000446c1a in _nc_save_str (string=0x0) at ../ncurses/./tinfo/alloc_entry.c:99
 #2 0x0000000000437037 in _nc_parse_entry (entryp=0x7fffffffaf98, literal=0, silent=false) at ../ncurses/./tinfo/parse_entry.c:463 
#3 0x0000000000431183 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=false, hook=0x0) at ../ncurses/./tinfo/comp_parse.c:227
 #4 0x0000000000402c57 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:929


Actual results:

crash

Expected results:

crash

Additional info:
Comment 2 Thomas E. Dickey 2017-06-27 20:29:10 EDT
Severity medium (fix will appear in the weekly updates).
Comment 4 Miroslav Lichvar 2017-08-02 08:36:38 EDT
As this issue seems to have a very low impact, it's currently not planned to be fixed in RHEL 7.

Note You need to log in before you can comment on or make changes to this bug.