Vulnerability Database

[dube0866 () EUROBRETAGNE FR (Nicolas Dubee)]

ncurses-1.9.9e buffer overflow


Hi,


as always, sorry if it's known stuff.

There is a buffer overflow in ncurses 1.9.9e and older,
a "terminal independant screen-painting subroutines library".

This buffer overflow _may_ not be exploitable, since it is
in the main() function of the 'move cursor' library.
Anyway, here are the technical details.

Check lib_mvcur.c, main() function, line 1128:

[...] (void)strcpy(tname, getenv("TERM")); [...]

then, same thing on line 1204.

The TERM environment variable is copied to tname, which is
defined as char tname[BUFSIZE]. Setting TERM to a value
with length higher than BUFSIZ (1024) will result in a
buffer overflow. All programs using ncurses-1.9.9e or
previous are vulnerable, including suid ones.

The other calls to 'getenv' seem pretty secure.

I haven't tried to exploit it yet, it should be quite
difficult since the overflow occurs in the main() function.


Patch:
copy this to the directory where lib_mvcur.c is, apply the patch
and rebuild ncurses and any potential target that uses
ncurses.



1128c1128
<     (void) strcpy(tname, getenv("TERM"));
---
>     (void) strncpy(tname, getenv("TERM"),sizeof(tname));
1204c1204
<           (void) strcpy(tname, getenv("TERM"));
---
>           (void) strncpy(tname, getenv("TERM"),sizeof(tname));







p.s.: i'm sorry for the date/time of this message, lots of
people wrote me about this last time, but if you know a
patch that will prevent this shitty AWARD Modular (tm)
Bios to crash my CMOS whenever i halt or reboot Linux, please
let me know.

p.s.2: if you had a job for me :) ...

------------------------
   plaguez / libpcap
dube0866 () eurobretagne fr
   http://www.innu.org
------------------------
ln -sf  flames /dev/null