Bug 1766745 (CVE-2019-17594) - CVE-2019-17594 ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c
Summary: CVE-2019-17594 ncurses: heap-based buffer overflow in the _nc_find_entry func...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-17594
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1766746 1786351 1786352
Blocks: 1766748
TreeView+ depends on / blocked
 
Reported: 2019-10-29 19:26 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-09 18:44 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-25 22:11:06 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4426 0 None None None 2021-11-09 18:44:45 UTC

Description Guilherme de Almeida Suckevicz 2019-10-29 19:26:14 UTC
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.

Reference:
https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html

Comment 1 Guilherme de Almeida Suckevicz 2019-10-29 19:27:12 UTC
Created ncurses tracking bugs for this issue:

Affects: fedora-all [bug 1766746]

Comment 3 Marco Benatto 2019-12-24 14:30:43 UTC
Upstream patch for this issue:

https://github.com/mirror/ncurses/commit/b025434573f466efe27862656a6a9d41dd2bd609

commit b025434573f466efe27862656a6a9d41dd2bd609
Author: Thomas E. Dickey <dickey@invisible-island.net>
Date:   Sun Oct 13 01:25:51 2019 +0000

    ncurses 6.1 - patch 20191012

    + amend recent changes to ncurses*-config and pc-files to filter out
      Debian linker-flags (report by Sven Joachim, cf: 20150516).
    + clarify relationship between tic, infocmp and captoinfo in manpage.
    + check for invalid hashcode in _nc_find_type_entry and
      _nc_find_name_entry.
    > fix several errata in tic (reports/testcases by "zjuchenyuan"):
    + check for invalid hashcode in _nc_find_entry.
    + check for missing character after backslash in fmt_entry
    + check for acsc with odd length in dump_entry in check for one-one
      mapping (cf: 20060415);
    + check length when converting from old AIX box_chars_1 capability,
      overlooked in changes to eliminate strcpy (cf: 20001007).
    + amend the ncurses*-config and pc-files to take into account the rpath

Comment 4 Marco Benatto 2019-12-24 15:06:15 UTC
There's an issue with ncurses when parsing terminal capabilities information files (terminfo files). The capabilities names are kept in a hash table, during the parsing ncurses try to match names found at the terminfo file with those hashed entries from its internal tables in function _nc_find_entry(). However some strings may cause the hash algorithm to overflow and generate invalid hash tags which are further used to walk over the related hash table returning invalid data, which will be further used to retrieve data from captables residing into process's heap. An attacker may take advantage of this weakness by crafting a terminfo file which may trigger the bug, resulting in low confidentiality, low integrity and low availability impact as depicted bellow:

Low confidentiality: The heap overflow causes out-of-bounds read which may expose some chunks of data contained on the task's heap;
Low integrity: Eventually the overflow could result in memory corruption of some bytes contained on the heap;
Low availability: The overflow may cause invalid memory access leading to segmentation fault causing DoS, however only the single run for this single user will be affected.

Comment 9 Sonu Khan 2020-01-27 13:34:12 UTC
Hi Marco,

Is there any steps to reproduce this issue or for mitigation?

Comment 12 Marco Benatto 2020-02-28 17:36:13 UTC
In reply to comment #9:
> Hi Marco,
> 
> Is there any steps to reproduce this issue or for mitigation?

Hello,

Sorry about the delay. Unfortunately the only possible mitigation for this issue is avoiding to manipulate terminfo files from untrusted sources.

thanks,

Comment 14 errata-xmlrpc 2021-11-09 18:44:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4426 https://access.redhat.com/errata/RHSA-2021:4426


Note You need to log in before you can comment on or make changes to this bug.