Bug 1576119 (CVE-2018-10754) - CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.
Summary: CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function ...
Keywords:
Status: NEW
Alias: CVE-2018-10754
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1566575 (view as bug list)
Depends On: 1576120 1576121 1576823
Blocks: 1576123
TreeView+ depends on / blocked
 
Reported: 2018-05-08 21:58 UTC by Laura Pardo
Modified: 2019-09-29 14:38 UTC (History)
3 users (show)

Fixed In Version: ncurses 6.1.20180414
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference was found in the way the _nc_parse_entry function parses terminfo data for compilation. An attacker able to provide specially crafted terminfo data could use this flaw to crash the application parsing it.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Laura Pardo 2018-05-08 21:58:27 UTC
A flaw was found in ncurses before 6.1.20180414, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1566575

Comment 1 Laura Pardo 2018-05-08 21:58:47 UTC
Created ncurses tracking bugs for this issue:

Affects: fedora-all [bug 1576121]

Comment 3 Miroslav Lichvar 2018-05-09 12:55:33 UTC
*** Bug 1566575 has been marked as a duplicate of this bug. ***

Comment 4 Cedric Buissart 2018-05-10 08:24:40 UTC
Upstream patch can be found as part of ftp://ftp.invisible-island.net/ncurses/6.1/ncurses-6.1-20180414.patch.gz

--- ncurses-6.1-20180407+/ncurses/tinfo/parse_entry.c   2017-08-26 19:49:50.000000000 +0000
+++ ncurses-6.1-20180414/ncurses/tinfo/parse_entry.c    2018-04-14 17:41:12.000000000 +0000
@@ -543,9 +543,11 @@
         * Otherwise, look for a base entry that will already
         * have picked up defaults via translation.
         */  
-       for (i = 0; i < entryp->nuses; i++)
-           if (!strchr((char *) entryp->uses[i].name, '+'))
+       for (i = 0; i < entryp->nuses; i++) {
+           if (entryp->uses[i].name != 0
+           && !strchr(entryp->uses[i].name, '+'))
            has_base_entry = TRUE;
+       }   
        }   
 
        postprocess_termcap(&entryp->tterm, has_base_entry);


Note You need to log in before you can comment on or make changes to this bug.