Bug 84129 - Crash in on certain escape sequences
Crash in on certain escape sequences
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: minicom (Show other bugs)
8.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Eido Inoue
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-02-12 11:25 EST by Pavel Roskin
Modified: 2007-04-18 12:51 EDT (History)
0 users

See Also:
Fixed In Version: 2.00.0-15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-08-20 17:13:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient. (580 bytes, patch)
2003-02-12 11:28 EST, Pavel Roskin
no flags Details | Diff

  None (edit)
Description Pavel Roskin 2003-02-12 11:25:35 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207
Phoenix/0.5

Description of problem:
If I run "TERM=xterm mc" in minicom (mc is GNU Midnight Commander 4.6.0)
minicom crashes when mc exits.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run minicom
2. Login to a remote system, make sure is has mc-4.6.0 installed.
3. Run "TERM=xterm mc"
4. Consequtively Press Escape 0 Enter.


Actual Results:  minicom crashes

Expected Results:  the command prompt reappears in the minicom window

Additional info:

I haven't tried to reduce this to a minimal case, because the reason of the
crash is pretty clear from debugging.

When minicom starts, vt_trans is initialized, but savetrans is not (it
contains zeroes because it's static).  Then some escape sequence comes and
vt_trans is restored from savetrans (although it was never saved there). Using
vt_trans after that causes access to memory just above NULL.

There are two fixes - initialize savetrans with the same values as
vt_trans or check if vt_trans[charset] is NULL.  This patch has both, but only
one part is required.

I don't think this bug can be exploited to expose data or execute
commands.  However, it is possible to use it for a denial of service
attack if the attacker can affect the text displayed to other users at
startup (not likely).

I contacted the maintainer (Jukka Lahtinen <walker@clinet.fi>) and the mailing
list minicom-devel@bazar.conectiva.com.br.  The e-mail to the maintainer
bounced. There was no reply from the mailing list.
Comment 1 Pavel Roskin 2003-02-12 11:28:37 EST
Created attachment 90033 [details]
Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient.
Comment 2 Eido Inoue 2003-08-20 17:13:29 EDT
Thanks for the patch. Incorporated in release 15 in rawhide

Note You need to log in before you can comment on or make changes to this bug.