1576119 – (CVE-2018-10754) CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.

Bug 1576119 (CVE-2018-10754) - CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.

Summary: CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-10754
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1566575 (view as bug list)
Depends On:	1576120 1576121 1576823
Blocks:	1576123
TreeView+	depends on / blocked

Reported:	2018-05-08 21:58 UTC by Laura Pardo
Modified:	2021-12-10 16:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ncurses 6.1.20180414
Doc Type:	If docs needed, set a value
Doc Text:	A NULL pointer dereference was found in the way the _nc_parse_entry function parses terminfo data for compilation. An attacker able to provide specially crafted terminfo data could use this flaw to crash the application parsing it.
Clone Of:
Environment:
Last Closed:	2021-10-21 20:03:47 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-05-08 21:58:27 UTC

A flaw was found in ncurses before 6.1.20180414, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1566575

Comment 1 Laura Pardo 2018-05-08 21:58:47 UTC

Created ncurses tracking bugs for this issue:

Affects: fedora-all [bug 1576121]

Comment 3 Miroslav Lichvar 2018-05-09 12:55:33 UTC

*** Bug 1566575 has been marked as a duplicate of this bug. ***

Comment 4 Cedric Buissart 2018-05-10 08:24:40 UTC

Upstream patch can be found as part of ftp://ftp.invisible-island.net/ncurses/6.1/ncurses-6.1-20180414.patch.gz

--- ncurses-6.1-20180407+/ncurses/tinfo/parse_entry.c   2017-08-26 19:49:50.000000000 +0000
+++ ncurses-6.1-20180414/ncurses/tinfo/parse_entry.c    2018-04-14 17:41:12.000000000 +0000
@@ -543,9 +543,11 @@
         * Otherwise, look for a base entry that will already
         * have picked up defaults via translation.
         */  
-       for (i = 0; i < entryp->nuses; i++)
-           if (!strchr((char *) entryp->uses[i].name, '+'))
+       for (i = 0; i < entryp->nuses; i++) {
+           if (entryp->uses[i].name != 0
+           && !strchr(entryp->uses[i].name, '+'))
            has_base_entry = TRUE;
+       }   
        }   
 
        postprocess_termcap(&entryp->tterm, has_base_entry);

Note You need to log in before you can comment on or make changes to this bug.