Re: Status of CVE-2018-19217

[Damien Guibouret]

Hello,

On 20/04/2019 19:48, Sylvain Beucler wrote:
> Hi,
>
> On Sat, Apr 20, 2019 at 07:43:46PM +0200, Damien Guibouret wrote:
> > On 20/04/2019 18:44, Damien Guibouret wrote:
> > > On 20/04/2019 10:10, Sylvain Beucler wrote:
> > > > On Fri, Apr 19, 2019 at 09:38:51PM +0200, Damien Guibouret wrote:
> > > > > On 19/04/2019 12:28, Sylvain Beucler wrote:
> > > > > > On 16/04/2019 00:54, Thomas Dickey wrote:
> > > > > > > On Mon, Apr 15, 2019 at 12:23:28PM +0200, Sylvain Beucler wrote:
> > > > > > > > As part of the Debian LTS project I'm triaging active ncurses
> > > > > > > > vulnerabilities.
> > > > > > > >
> > > > > > > > For CVE-2018-19217, it seems nobody is able to reproduce the bug:
> > > > > > > > "In ncurses 6.1, there is a NULL pointer dereference at the function
> > > > > > > > _nc_name_match that will lead to a denial of service attack."
> > > > > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217
> > > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1643753
> > > > > > > >
> > > > > > > > I myself couldn't find a 6.1 version that crashes on this POC.
> > > > > > > > It was never properly reported to the ncurses project itself, so I'm
> > > > > > > > doing that now.
> > > > > > > >
> > > > > > > > Do you consider this bug valid?
> > > > > > > no - it was reported in the wrong place, and I was
> > > > > > > unable to reproduce it.
> > > > > > >
> > > > > > > > If not, I can request a rejection of this CVE.
> > > > > > > sounds good
> > > > > > MITRE now marks it as "** DISPUTED **".
> > > > > > Not much more I can do AFAIK.
> > > > >
> > > > > I was able to reproduce it with the 2 following versions:
> > > > > ncurses 5.9.20130518
> > > > > ncurses 6.0.20160213
> > > > > but not with
> > > > > ncurses 6.1.20190202
> > > > >
> > > > > The problem is in _nc_save_str. In case it cannot copy the string it
> > > > > displays a warning and return NULL. Futur use of the string will lead to
> > > > > some segmentation fault.
> > > > > With the 2 first versions, I saw the "Too much data, some is
> > > > > lost" warning
> > > > > (there was a bunch of other warnings before getting the failure,
> > > > > so it does
> > > > > not SIGSEGV at once), not with the last one, but perhaps only because it
> > > > > parses the string differently.
> > > >
> > > > Is this a duplicate of
> > > > https://invisible-island.net/ncurses/NEWS.html#index-t20170826
> > > >     + allow for cancelled capabilities in _nc_save_str (Redhat #1484276).
> > > > (CVE-2017-13729) or something else?
> > >
> > > It does not seems to be the same.
> > > It fails for the same versions and not for the last one, but I did not
> > > get the "Too much data, some is lost" warning, so corruption seems to be
> > > somewhere else.
> >
> > Looking further to this one, it is completly fixed (add of check that
> > strings are valid in postprocess_termcap function through using PRESENT
> > macro).
>
> Thanks!
>
> I'm interested in the version this was introduced in, so we can
> clearly mark the various distro packages as affected/not-affected.
> Do you happen to know it?
>
> Cheers!
> Sylvain

I've checked some more on first one.
It is fixed as well with adding of checks in _nc_parse_entry.

They are both fixed by the CVE you spotted, even if it is at two 
different locations (ncurses 6.0 - patch 20170826).
Looking at the changelog, all the corrections regarding "check for 
cancelled strings/invalid strings" covers these issues and certainly 
some other, so there are handled in several Redhat bug reports.

Regards,

Damien