Bug 84129 - Crash in on certain escape sequences
Summary: Crash in on certain escape sequences
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: minicom
Version: 8.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Eido Inoue
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-02-12 16:25 UTC by Pavel Roskin
Modified: 2007-04-18 16:51 UTC (History)
0 users

Fixed In Version: 2.00.0-15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-08-20 21:13:29 UTC


Attachments (Terms of Use)
Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient. (580 bytes, patch)
2003-02-12 16:28 UTC, Pavel Roskin
no flags Details | Diff

Description Pavel Roskin 2003-02-12 16:25:35 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207
Phoenix/0.5

Description of problem:
If I run "TERM=xterm mc" in minicom (mc is GNU Midnight Commander 4.6.0)
minicom crashes when mc exits.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run minicom
2. Login to a remote system, make sure is has mc-4.6.0 installed.
3. Run "TERM=xterm mc"
4. Consequtively Press Escape 0 Enter.


Actual Results:  minicom crashes

Expected Results:  the command prompt reappears in the minicom window

Additional info:

I haven't tried to reduce this to a minimal case, because the reason of the
crash is pretty clear from debugging.

When minicom starts, vt_trans is initialized, but savetrans is not (it
contains zeroes because it's static).  Then some escape sequence comes and
vt_trans is restored from savetrans (although it was never saved there). Using
vt_trans after that causes access to memory just above NULL.

There are two fixes - initialize savetrans with the same values as
vt_trans or check if vt_trans[charset] is NULL.  This patch has both, but only
one part is required.

I don't think this bug can be exploited to expose data or execute
commands.  However, it is possible to use it for a denial of service
attack if the attacker can affect the text displayed to other users at
startup (not likely).

I contacted the maintainer (Jukka Lahtinen <walker@clinet.fi>) and the mailing
list minicom-devel@bazar.conectiva.com.br.  The e-mail to the maintainer
bounced. There was no reply from the mailing list.

Comment 1 Pavel Roskin 2003-02-12 16:28:37 UTC
Created attachment 90033 [details]
Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient.

Comment 2 Eido Inoue 2003-08-20 21:13:29 UTC
Thanks for the patch. Incorporated in release 15 in rawhide


Note You need to log in before you can comment on or make changes to this bug.