From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5 Description of problem: If I run "TERM=xterm mc" in minicom (mc is GNU Midnight Commander 4.6.0) minicom crashes when mc exits. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Run minicom 2. Login to a remote system, make sure is has mc-4.6.0 installed. 3. Run "TERM=xterm mc" 4. Consequtively Press Escape 0 Enter. Actual Results: minicom crashes Expected Results: the command prompt reappears in the minicom window Additional info: I haven't tried to reduce this to a minimal case, because the reason of the crash is pretty clear from debugging. When minicom starts, vt_trans is initialized, but savetrans is not (it contains zeroes because it's static). Then some escape sequence comes and vt_trans is restored from savetrans (although it was never saved there). Using vt_trans after that causes access to memory just above NULL. There are two fixes - initialize savetrans with the same values as vt_trans or check if vt_trans[charset] is NULL. This patch has both, but only one part is required. I don't think this bug can be exploited to expose data or execute commands. However, it is possible to use it for a denial of service attack if the attacker can affect the text displayed to other users at startup (not likely). I contacted the maintainer (Jukka Lahtinen <walker>) and the mailing list minicom-devel.com.br. The e-mail to the maintainer bounced. There was no reply from the mailing list.
Created attachment 90033 [details] Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient.
Thanks for the patch. Incorporated in release 15 in rawhide