Red Hat Bugzilla – Bug 1464684
Null pointer dereference vulnerability in _nc_save_str function of ncurses tool with latest verison(6.0)
Last modified: 2017-08-02 08:36:38 EDT
Created attachment 1291504 [details]
Triggered by "captoinfo POC1"
Description of problem:
As ncurses/tinfo/comp_scan.c made lexical scanning，the nc_curr_token.tk_valstring(line:400) was initialized to Null by crafted input. It led to denial of service(crash) when the variable was transferred to _nc_save_str function as Null pointer.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
(gdb) set args $POC
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x0000000000446c1a in _nc_save_str (string=0x0) at ../ncurses/./tinfo/alloc_entry.c:99
#2 0x0000000000437037 in _nc_parse_entry (entryp=0x7fffffffaf98, literal=0, silent=false) at ../ncurses/./tinfo/parse_entry.c:463
#3 0x0000000000431183 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=false, hook=0x0) at ../ncurses/./tinfo/comp_parse.c:227
#4 0x0000000000402c57 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:929
Severity medium (fix will appear in the weekly updates).
As this issue seems to have a very low impact, it's currently not planned to be fixed in RHEL 7.