Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1576119 (CVE-2018-10754) - CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.
Summary: CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-10754
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1566575 (view as bug list)
Depends On: 1576120 1576121 1576823
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-08 21:58 UTC by Laura Pardo
Modified: 2021-12-10 16:07 UTC (History)
3 users (show)

Fixed In Version: ncurses 6.1.20180414
Clone Of:
Environment:
Last Closed: 2021-10-21 20:03:47 UTC
Embargoed:


Attachments (Terms of Use)

Description Laura Pardo 2018-05-08 21:58:27 UTC
A flaw was found in ncurses before 6.1.20180414, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1566575

Comment 1 Laura Pardo 2018-05-08 21:58:47 UTC
Created ncurses tracking bugs for this issue:

Affects: fedora-all [bug 1576121]

Comment 3 Miroslav Lichvar 2018-05-09 12:55:33 UTC
*** Bug 1566575 has been marked as a duplicate of this bug. ***

Comment 4 Cedric Buissart 2018-05-10 08:24:40 UTC
Upstream patch can be found as part of ftp://ftp.invisible-island.net/ncurses/6.1/ncurses-6.1-20180414.patch.gz

--- ncurses-6.1-20180407+/ncurses/tinfo/parse_entry.c   2017-08-26 19:49:50.000000000 +0000
+++ ncurses-6.1-20180414/ncurses/tinfo/parse_entry.c    2018-04-14 17:41:12.000000000 +0000
@@ -543,9 +543,11 @@
         * Otherwise, look for a base entry that will already
         * have picked up defaults via translation.
         */  
-       for (i = 0; i < entryp->nuses; i++)
-           if (!strchr((char *) entryp->uses[i].name, '+'))
+       for (i = 0; i < entryp->nuses; i++) {
+           if (entryp->uses[i].name != 0
+           && !strchr(entryp->uses[i].name, '+'))
            has_base_entry = TRUE;
+       }   
        }   
 
        postprocess_termcap(&entryp->tterm, has_base_entry);


Note You need to log in before you can comment on or make changes to this bug.