Bug 23135 - ncurses new security issue CVE-2018-10754
Summary: ncurses new security issue CVE-2018-10754
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-07 22:18 CEST by David Walser
Modified: 2022-06-14 15:17 CEST (History)
7 users (show)

See Also:
Source RPM: ncurses-6.0-8.1.mga6.src.rpm
CVE:
Status comment: Patch available from Fedora


Attachments

David Walser 2018-06-07 22:19:06 CEST

Status comment: (none) => Patch available from Fedora

Comment 1 Marja Van Waes 2018-06-08 21:21:38 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Mike Rambo 2018-06-19 14:37:34 CEST
Patched package uploaded for Mageia 6.

Advisory:
========================

Updated ncurses package fixes security vulnerability:

A flaw was found in ncurses before 6.1.20180414 where a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax (CVE-2018-10754).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754
https://bugzilla.redhat.com/show_bug.cgi?id=1576119
========================

Updated packages in core/updates_testing:
========================
lib64ncurses5-6.0-8.2.mga6
lib64ncurses6-6.0-8.2.mga6
lib64ncurses-devel-6.0-8.2.mga6
lib64ncursesw5-6.0-8.2.mga6
lib64ncursesw6-6.0-8.2.mga6
lib64ncursesw-devel-6.0-8.2.mga6
ncurses-6.0-8.2.mga6
ncurses-extraterms-6.0-8.2.mga6

from ncurses-6.0-8.2.mga6.src.rpm

Test procedure: https://bugs.mageia.org/show_bug.cgi?id=21197#c12

Assignee: pkg-bugs => qa-bugs
CC: (none) => mrambo
Keywords: (none) => has_procedure

Comment 3 Len Lawrence 2018-06-20 11:23:43 CEST
Mageia 6, x86_64

Before updating:

CVE-2018-10754
https://bugzilla.redhat.com/show_bug.cgi?id=1566575
$ tic POC
"POC", line 1, col 4095: dubious character `[' in name or alias field
"POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=�:tc=t���������������������������͸������ո��������������������� ������������ڸ������������������������������ڸ����������������������������������bbbbbbbbbbbbbbbbbbbbbbbbbbbb�����������������������������������������ո����������������������������������������������bbbWbbbbbbbbbbbbbbbbbbbbbbbb����������������bbbbbbb�����������������������������������������ո����������������������������������ڸ�����������������C@@:tc=t:cVVVVVVVV=�$C@@@@B��������������������������������������������������������������"
"POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z'
"POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t#
"POC", line 2, col 21, terminal 'invalid': Illegal character - '^H'
"POC", line 2, col 21, terminal 'invalid': unknown capability 't'
"POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H'
"POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t
Segmentation fault (core dumped)

----------------------------------------------------------------------------

Updated the packages:

- lib64ncurses-devel-6.0-8.2.mga6.x86_64
- lib64ncurses5-6.0-8.2.mga6.x86_64
- lib64ncurses6-6.0-8.2.mga6.x86_64
- lib64ncursesw-devel-6.0-8.2.mga6.x86_64
- lib64ncursesw5-6.0-8.2.mga6.x86_64
- lib64ncursesw6-6.0-8.2.mga6.x86_64
- ncurses-6.0-8.2.mga6.x86_64
- ncurses-extraterms-6.0-8.2.mga6.x86_64

$ tic POC
"POC", line 1, col 4095: dubious character `[' in name or alias field
"POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=�:tc=t���������������������������͸������ո��������������������� ������������ڸ��������������������������
[...]
��������������������������������������������������������': Too much data, some is lost: 

Segmentation fault (core dumped)

This output resembles that from the pre-update test but is much more verbose which demonstrates that something has changed, like the application of a patch, but the segfault has not been intercepted.
Leaving this open for comments.

$ urpmq --whatrequires ncurses | sort -u
basesystem-minimal
cmus
eterm
gfs2-utils
kon2
mindi
ncurses
ncurses-extraterms
nethogs
quagga
tritonus-fluidsynth

Referring to the test procedure linked above:

$ strace top 2> top.trace
$ grep ncurses top.trace
$ urpmq --requires-recursive irssi | sort -u | grep ncurses
lib64ncurses6
$ urpmq --requires-recursive ettercap | sort -u | grep ncurses
lib64ncurses6
lib64ncursesw6

Installed ettercap and ran
$ ettercap -C
which showed the interface in a terminal.  Set some options from the menus but don't really have a clue about use and no time to investigate but curses is working.

irssi I am familiar with.  Onto freenode and joined #mageia-qa, gave a shout and left.  No problems.

Leaving this one hanging.  Shall check back in a week or so.  Probably OK.

CC: (none) => tarazed25

Comment 4 Nicolas Salguero 2018-06-26 10:06:11 CEST
With the patch from https://patchwork.openembedded.org/patch/150918/, there is no more segmentation fault.

Advisory:
========================

Updated ncurses package fixes security vulnerability:

A flaw was found in ncurses before 6.1.20180414 where a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax (CVE-2018-10754).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754
https://bugzilla.redhat.com/show_bug.cgi?id=1576119
========================

Updated packages in core/updates_testing:
========================
lib(64)ncurses5-6.0-8.3.mga6
lib(64)ncurses6-6.0-8.3.mga6
lib(64)ncurses-devel-6.0-8.3.mga6
lib(64)ncursesw5-6.0-8.3.mga6
lib(64)ncursesw6-6.0-8.3.mga6
lib(64)ncursesw-devel-6.0-8.3.mga6
ncurses-6.0-8.3.mga6
ncurses-extraterms-6.0-8.3.mga6

from ncurses-6.0-8.3.mga6.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

Comment 5 Herman Viaene 2018-06-29 11:58:18 CEST
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
Tried ettercap -C, that displayed a menu, I could click on these, but no reaction whatsoever
irssi: I could connect to freenode, join #mageia-qa, shouted a bit, but no response , left it.
drakdm shows up OK.
OK qs far as I am concerned.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 6 Dave Hodgins 2018-07-01 04:19:45 CEST
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Mageia Robot 2018-07-01 19:18:19 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0299.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 8 David Walser 2022-06-14 15:17:54 CEST
This is the same issue as CVE-2018-19211:
https://ubuntu.com/security/CVE-2018-19211

Note You need to log in before you can comment on or make changes to this bug.