Bug 1115929 – VUL-1: CVE-2018-19211: ncurses: There is a Segmentation fault on unknown address in function _nc_parse_entry in libncurses.

Bug 1115929 - (CVE-2018-19211) VUL-1: CVE-2018-19211: ncurses: There is a Segmentation fault on unknown address in function _nc_parse_entry in libncurses.

(CVE-2018-19211)
Summary:	VUL-1: CVE-2018-19211: ncurses: There is a Segmentation fault on unknown addr...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/219076/
Whiteboard:	CVSSv2:NVD:CVE-2018-19211:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-11-14 06:41 UTC by Marcus Meissner
Modified:	2020-07-10 14:42 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
poc1 (7.04 KB, application/octet-stream) 2018-11-14 06:50 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2018-11-14 06:41:36 UTC

rh#1643754

In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry
in parse_entry.c that will lead to a denial of service attack.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1643754
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19211

Comment 1 Marcus Meissner 2018-11-14 06:50:57 UTC

Created attachment 789630 [details]
poc1

QA REPRODUCER:

captoinfo poc1

should not crash

Comment 2 Marcus Meissner 2018-11-14 06:51:36 UTC

tumbleweed 6.1 does not crash
42.3 ncurses 5.x crahes

Comment 3 Dr. Werner Fink 2018-11-16 13:38:07 UTC

Hmm it does not crash but report errors on both tumbleweed and Leap15

werner/ncurses> captoinfo -o /tmp/xxx checks/poc1
"checks/poc1", line 1, col 32: dubious character `*' in name or alias field
"checks/poc1", line 1, col 32: invalid entry name "a*??*??????j???5"
[...]
a*??*??????j???5,
        bel=^G, cr=\r, cud1=\n, ht=^I, ind=\n, kbs=^H, kcub1=^H,
        kcud1=\n, nel=\r\n,
j??5,
        acsc=, bel=^G, cr=\r, cud1=\n, ht=^I, ind=\n, kbs=^H, kcub1=^H,
        kcud1=\n, nel=\r\n, rs2=,

Comment 4 Dr. Werner Fink 2018-11-16 13:52:01 UTC

(In reply to Marcus Meissner from comment #2)
> tumbleweed 6.1 does not crash
> 42.3 ncurses 5.x crahes

Indeed this crash on SLE-12 with latest ncurses

Comment 5 Dr. Werner Fink 2018-11-16 13:56:47 UTC

Btw: captoinfo is part of package ncurses-devel

Comment 6 Dr. Werner Fink 2018-11-20 10:20:28 UTC

FIXED with SR#178044

Comment 9 Swamp Workflow Management 2018-12-03 20:12:12 UTC

SUSE-SU-2018:3967-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1115929
CVE References: CVE-2018-19211
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ncurses-5.9-61.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ncurses-5.9-61.1
SUSE Linux Enterprise Server 12-SP4 (src):    ncurses-5.9-61.1
SUSE Linux Enterprise Server 12-SP3 (src):    ncurses-5.9-61.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ncurses-5.9-61.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ncurses-5.9-61.1
SUSE CaaS Platform ALL (src):    ncurses-5.9-61.1
SUSE CaaS Platform 3.0 (src):    ncurses-5.9-61.1
OpenStack Cloud Magnum Orchestration 7 (src):    ncurses-5.9-61.1

Comment 10 Swamp Workflow Management 2018-12-07 11:16:31 UTC

SUSE-SU-2018:4000-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1103320,1115929
CVE References: CVE-2018-19211
Sources used:
SUSE Linux Enterprise Module for Legacy Software 15 (src):    ncurses-6.1-5.3.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    ncurses-6.1-5.3.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    ncurses-6.1-5.3.1

Comment 11 Swamp Workflow Management 2018-12-07 23:15:56 UTC

openSUSE-SU-2018:4034-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1115929
CVE References: CVE-2018-19211
Sources used:
openSUSE Leap 42.3 (src):    ncurses-5.9-66.1

Comment 12 Swamp Workflow Management 2018-12-08 14:14:45 UTC

openSUSE-SU-2018:4055-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1103320,1115929
CVE References: CVE-2018-19211
Sources used:
openSUSE Leap 15.0 (src):    ncurses-6.1-lp150.4.3.1

Comment 17 Alexandros Toptsoglou 2020-07-10 14:42:25 UTC

Done