Bug 1576119 – CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1576119 - (CVE-2018-10754) CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.

Summary:	CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function ...

Status:	NEW

Aliases:	CVE-2018-10754

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20180412,reported=2...
Keywords:	Security

Duplicates:	1566575 (view as bug list)
Depends On:	1576120 1576823 1576121
Blocks:	1576123
	Show dependency tree / graph

Reported:	2018-05-08 17:58 EDT by Laura Pardo
Modified:	2018-10-16 01:00 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	ncurses 6.1.20180414
Doc Type:	If docs needed, set a value
Doc Text:	A NULL pointer dereference was found in the way the _nc_parse_entry function parses terminfo data for compilation. An attacker able to provide specially crafted terminfo data could use this flaw to crash the application parsing it.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Laura Pardo 2018-05-08 17:58:27 EDT

A flaw was found in ncurses before 6.1.20180414, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1566575

Comment 1 Laura Pardo 2018-05-08 17:58:47 EDT

Created ncurses tracking bugs for this issue:

Affects: fedora-all [bug 1576121]

Comment 3 Miroslav Lichvar 2018-05-09 08:55:33 EDT

*** Bug 1566575 has been marked as a duplicate of this bug. ***

Comment 4 Cedric Buissart 2018-05-10 04:24:40 EDT

Upstream patch can be found as part of ftp://ftp.invisible-island.net/ncurses/6.1/ncurses-6.1-20180414.patch.gz

--- ncurses-6.1-20180407+/ncurses/tinfo/parse_entry.c   2017-08-26 19:49:50.000000000 +0000
+++ ncurses-6.1-20180414/ncurses/tinfo/parse_entry.c    2018-04-14 17:41:12.000000000 +0000
@@ -543,9 +543,11 @@
         * Otherwise, look for a base entry that will already
         * have picked up defaults via translation.
         */  
-       for (i = 0; i < entryp->nuses; i++)
-           if (!strchr((char *) entryp->uses[i].name, '+'))
+       for (i = 0; i < entryp->nuses; i++) {
+           if (entryp->uses[i].name != 0
+           && !strchr(entryp->uses[i].name, '+'))
            has_base_entry = TRUE;
+       }   
        }   
 
        postprocess_termcap(&entryp->tterm, has_base_entry);

Note You need to log in before you can comment on or make changes to this bug.