Hi,
On Fri, Apr 19, 2019 at 09:38:51PM +0200, Damien Guibouret wrote:
On 19/04/2019 12:28, Sylvain Beucler wrote:
On 16/04/2019 00:54, Thomas Dickey wrote:
On Mon, Apr 15, 2019 at 12:23:28PM +0200, Sylvain Beucler wrote:
As part of the Debian LTS project I'm triaging active ncurses
vulnerabilities.
For CVE-2018-19217, it seems nobody is able to reproduce the bug:
"In ncurses 6.1, there is a NULL pointer dereference at the function
_nc_name_match that will lead to a denial of service attack."
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217
https://bugzilla.redhat.com/show_bug.cgi?id=1643753
I myself couldn't find a 6.1 version that crashes on this POC.
It was never properly reported to the ncurses project itself, so I'm
doing that now.
Do you consider this bug valid?
no - it was reported in the wrong place, and I was unable to reproduce it.
If not, I can request a rejection of this CVE.
sounds good
MITRE now marks it as "** DISPUTED **".
Not much more I can do AFAIK.
I was able to reproduce it with the 2 following versions:
ncurses 5.9.20130518
ncurses 6.0.20160213
but not with
ncurses 6.1.20190202
The problem is in _nc_save_str. In case it cannot copy the string it
displays a warning and return NULL. Futur use of the string will lead to
some segmentation fault.
With the 2 first versions, I saw the "Too much data, some is lost" warning
(there was a bunch of other warnings before getting the failure, so it does
not SIGSEGV at once), not with the last one, but perhaps only because it
parses the string differently.
Is this a duplicate of
https://invisible-island.net/ncurses/NEWS.html#index-t20170826
+ allow for cancelled capabilities in _nc_save_str (Redhat #1484276).
(CVE-2017-13729) or something else?
Cheers!
Sylvain