|
| From: | Damien Guibouret |
| Subject: | Re: Status of CVE-2018-19217 |
| Date: | Fri, 19 Apr 2019 21:38:51 +0200 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 |
Hello, I was able to reproduce it with the 2 following versions: ncurses 5.9.20130518 ncurses 6.0.20160213 but not with ncurses 6.1.20190202The problem is in _nc_save_str. In case it cannot copy the string it displays a warning and return NULL. Futur use of the string will lead to some segmentation fault. With the 2 first versions, I saw the "Too much data, some is lost" warning (there was a bunch of other warnings before getting the failure, so it does not SIGSEGV at once), not with the last one, but perhaps only because it parses the string differently.
Regards, Damien On 19/04/2019 12:28, Sylvain Beucler wrote:
Hi, On 16/04/2019 00:54, Thomas Dickey wrote:On Mon, Apr 15, 2019 at 12:23:28PM +0200, Sylvain Beucler wrote:As part of the Debian LTS project I'm triaging active ncurses vulnerabilities. For CVE-2018-19217, it seems nobody is able to reproduce the bug: "In ncurses 6.1, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack." https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217 https://bugzilla.redhat.com/show_bug.cgi?id=1643753 I myself couldn't find a 6.1 version that crashes on this POC. It was never properly reported to the ncurses project itself, so I'm doing that now. Do you consider this bug valid?no - it was reported in the wrong place, and I was unable to reproduce it.If not, I can request a rejection of this CVE.sounds goodMITRE now marks it as "** DISPUTED **". Not much more I can do AFAIK. Thanks! - Sylvain _______________________________________________ Bug-ncurses mailing list address@hidden https://lists.gnu.org/mailman/listinfo/bug-ncurses
| [Prev in Thread] | Current Thread | [Next in Thread] |