Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 84129 - Crash in on certain escape sequences
Summary: Crash in on certain escape sequences
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: minicom
Version: 8.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Eido Inoue
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-02-12 16:25 UTC by Pavel Roskin
Modified: 2007-04-18 16:51 UTC (History)
0 users

Fixed In Version: 2.00.0-15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-08-20 21:13:29 UTC


Attachments (Terms of Use)
Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient. (deleted)
2003-02-12 16:28 UTC, Pavel Roskin
no flags Details | Diff

Description Pavel Roskin 2003-02-12 16:25:35 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207
Phoenix/0.5

Description of problem:
If I run "TERM=xterm mc" in minicom (mc is GNU Midnight Commander 4.6.0)
minicom crashes when mc exits.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run minicom
2. Login to a remote system, make sure is has mc-4.6.0 installed.
3. Run "TERM=xterm mc"
4. Consequtively Press Escape 0 Enter.


Actual Results:  minicom crashes

Expected Results:  the command prompt reappears in the minicom window

Additional info:

I haven't tried to reduce this to a minimal case, because the reason of the
crash is pretty clear from debugging.

When minicom starts, vt_trans is initialized, but savetrans is not (it
contains zeroes because it's static).  Then some escape sequence comes and
vt_trans is restored from savetrans (although it was never saved there). Using
vt_trans after that causes access to memory just above NULL.

There are two fixes - initialize savetrans with the same values as
vt_trans or check if vt_trans[charset] is NULL.  This patch has both, but only
one part is required.

I don't think this bug can be exploited to expose data or execute
commands.  However, it is possible to use it for a denial of service
attack if the attacker can affect the text displayed to other users at
startup (not likely).

I contacted the maintainer (Jukka Lahtinen <walker@clinet.fi>) and the mailing
list minicom-devel@bazar.conectiva.com.br.  The e-mail to the maintainer
bounced. There was no reply from the mailing list.

Comment 1 Pavel Roskin 2003-02-12 16:28:37 UTC
Created attachment 90033 [details]
Fix for the crash - initialize savetrans and validate vt_trans. Each part is sufficient.

Comment 2 Eido Inoue 2003-08-20 21:13:29 UTC
Thanks for the patch. Incorporated in release 15 in rawhide


Note You need to log in before you can comment on or make changes to this bug.