Bug 1464685 - Null pointer dereference vulnerability in postprocess_termcap function of ncurses tool with latest verison(6.0)
Summary: Null pointer dereference vulnerability in postprocess_termcap function of ncu...
Status: CLOSED DUPLICATE of bug 1464687
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses   
(Show other bugs)
Version: 7.5-Alt
Hardware: x86_64 Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Miroslav Lichvar
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-24 14:23 UTC by owl337
Modified: 2017-06-29 08:03 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-29 08:03:18 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "captoinfo POC2" (107 bytes, application/x-rar)
2017-06-24 14:23 UTC, owl337
no flags Details

Description owl337 2017-06-24 14:23:28 UTC
Created attachment 1291505 [details]
Triggered by "captoinfo POC2"

Description of problem:

In  postprocess_termcap function(parse_entry.c:838), tp->Strings array was written using illegal value transmitted by crafted input that led to  Null pointer dereference. 

Version-Release number of selected component (if applicable):

<= 6.0

How reproducible:

captoinfo $POC

Steps to Reproduce:

The debug information is as follows:
$gdb captoinfo
…
(gdb) set args $POC
(gdb) r
…
(gdb) bt
 #0 __strcmp_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:202 
#1 0x00000000004396e1 in postprocess_termcap (tp=<optimized out>, has_base=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:838 
#2 _nc_parse_entry (entryp=0x7fffffffaf88, literal=<optimized out>, silent=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:507
 #3 0x0000000000431183 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=false, hook=0x0) at ../ncurses/./tinfo/comp_parse.c:227
 #4 0x0000000000402c57 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:929


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL. Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Thomas E. Dickey 2017-06-28 00:29:15 UTC
Severity medium (fix will appear in the weekly updates).

Comment 3 Thomas E. Dickey 2017-06-28 21:43:43 UTC
Two duplicates of this report were filed, and should be closed:

https://bugzilla.redhat.com/show_bug.cgi?id=1464687
https://bugzilla.redhat.com/show_bug.cgi?id=1464692

Comment 4 Miroslav Lichvar 2017-06-29 08:03:18 UTC
The two bugs seem to have a higher security impact, so even if the fix for this bug solves the other issues, I think it's better to close this one as a duplicate.

*** This bug has been marked as a duplicate of bug 1464687 ***


Note You need to log in before you can comment on or make changes to this bug.