Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 84129

Summary: Crash in on certain escape sequences
Product: [Retired] Red Hat Linux Reporter: Pavel Roskin <proski>
Component: minicomAssignee: Eido Inoue <havill>
Status: CLOSED RAWHIDE QA Contact: Brock Organ <borgan>
Severity: high Docs Contact:
Priority: medium    
Version: 8.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.00.0-15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-08-20 21:13:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient. none

Description Pavel Roskin 2003-02-12 16:25:35 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207
Phoenix/0.5

Description of problem:
If I run "TERM=xterm mc" in minicom (mc is GNU Midnight Commander 4.6.0)
minicom crashes when mc exits.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run minicom
2. Login to a remote system, make sure is has mc-4.6.0 installed.
3. Run "TERM=xterm mc"
4. Consequtively Press Escape 0 Enter.


Actual Results:  minicom crashes

Expected Results:  the command prompt reappears in the minicom window

Additional info:

I haven't tried to reduce this to a minimal case, because the reason of the
crash is pretty clear from debugging.

When minicom starts, vt_trans is initialized, but savetrans is not (it
contains zeroes because it's static).  Then some escape sequence comes and
vt_trans is restored from savetrans (although it was never saved there). Using
vt_trans after that causes access to memory just above NULL.

There are two fixes - initialize savetrans with the same values as
vt_trans or check if vt_trans[charset] is NULL.  This patch has both, but only
one part is required.

I don't think this bug can be exploited to expose data or execute
commands.  However, it is possible to use it for a denial of service
attack if the attacker can affect the text displayed to other users at
startup (not likely).

I contacted the maintainer (Jukka Lahtinen <walker@clinet.fi>) and the mailing
list minicom-devel@bazar.conectiva.com.br.  The e-mail to the maintainer
bounced. There was no reply from the mailing list.

Comment 1 Pavel Roskin 2003-02-12 16:28:37 UTC
Created attachment 90033 [details]
Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient.

Comment 2 Eido Inoue 2003-08-20 21:13:29 UTC
Thanks for the patch. Incorporated in release 15 in rawhide