Red Hat Bugzilla – Bug 84129
Crash in on certain escape sequences
Last modified: 2007-04-18 12:51:03 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207
Description of problem:
If I run "TERM=xterm mc" in minicom (mc is GNU Midnight Commander 4.6.0)
minicom crashes when mc exits.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run minicom
2. Login to a remote system, make sure is has mc-4.6.0 installed.
3. Run "TERM=xterm mc"
4. Consequtively Press Escape 0 Enter.
Actual Results: minicom crashes
Expected Results: the command prompt reappears in the minicom window
I haven't tried to reduce this to a minimal case, because the reason of the
crash is pretty clear from debugging.
When minicom starts, vt_trans is initialized, but savetrans is not (it
contains zeroes because it's static). Then some escape sequence comes and
vt_trans is restored from savetrans (although it was never saved there). Using
vt_trans after that causes access to memory just above NULL.
There are two fixes - initialize savetrans with the same values as
vt_trans or check if vt_trans[charset] is NULL. This patch has both, but only
one part is required.
I don't think this bug can be exploited to expose data or execute
commands. However, it is possible to use it for a denial of service
attack if the attacker can affect the text displayed to other users at
startup (not likely).
I contacted the maintainer (Jukka Lahtinen <firstname.lastname@example.org>) and the mailing
list email@example.com. The e-mail to the maintainer
bounced. There was no reply from the mailing list.
Created attachment 90033 [details]
Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient.
Thanks for the patch. Incorporated in release 15 in rawhide