|Summary:||Crash in on certain escape sequences|
|Product:||[Retired] Red Hat Linux||Reporter:||Pavel Roskin <proski>|
|Component:||minicom||Assignee:||Eido Inoue <havill>|
|Status:||CLOSED RAWHIDE||QA Contact:||Brock Organ <borgan>|
|Fixed In Version:||2.00.0-15||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2003-08-20 21:13:29 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Pavel Roskin 2003-02-12 16:25:35 UTC
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5 Description of problem: If I run "TERM=xterm mc" in minicom (mc is GNU Midnight Commander 4.6.0) minicom crashes when mc exits. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Run minicom 2. Login to a remote system, make sure is has mc-4.6.0 installed. 3. Run "TERM=xterm mc" 4. Consequtively Press Escape 0 Enter. Actual Results: minicom crashes Expected Results: the command prompt reappears in the minicom window Additional info: I haven't tried to reduce this to a minimal case, because the reason of the crash is pretty clear from debugging. When minicom starts, vt_trans is initialized, but savetrans is not (it contains zeroes because it's static). Then some escape sequence comes and vt_trans is restored from savetrans (although it was never saved there). Using vt_trans after that causes access to memory just above NULL. There are two fixes - initialize savetrans with the same values as vt_trans or check if vt_trans[charset] is NULL. This patch has both, but only one part is required. I don't think this bug can be exploited to expose data or execute commands. However, it is possible to use it for a denial of service attack if the attacker can affect the text displayed to other users at startup (not likely). I contacted the maintainer (Jukka Lahtinen <email@example.com>) and the mailing list firstname.lastname@example.org. The e-mail to the maintainer bounced. There was no reply from the mailing list.
Comment 1 Pavel Roskin 2003-02-12 16:28:37 UTC
Created attachment 90033 [details] Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient.
Comment 2 Eido Inoue 2003-08-20 21:13:29 UTC
Thanks for the patch. Incorporated in release 15 in rawhide