Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ports/18208: Reported Vulnerability in ncurses

0 views
Skip to first unread message

sme...@idefense.com

unread,
Apr 25, 2000, 3:00:00 AM4/25/00
to

>Number: 18208
>Category: ports
>Synopsis: Reported Vulnerability in ncurses
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 25 09:50:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Servio F. Medina
>Release: not my computer
>Organization:
iDefense
>Environment:
n/a
>Description:
The purpose of this email is twofold: 1) to inform you of a reported vulnerability by a third party, not myself, involving one of your products, and 2) to obtain confirmation/clarification and knowledge of any measures taken to address this in the event it is viable.

Below is the report (snipped):

--- Begin report ---
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 3

Advisory Name: libncurses buffer overflow
Date: 24/4/00
Application: NCURSES 1.8.6 / FreeBSD 3.4-STABLE
Vendor: FreeBSD Inc.
WWW: www.freebsd.org
Severity: setuid programs linked with libncurses
can be exploited to obtain root access.
Author: venglin (ven...@freebsd.lublin.pl)
Homepage: www.b0f.com

* Vulnerable Versions

- 3.4-STABLE -- vulnerable
- 4.0-STABLE -- not tested (probably *not* vulnerable)
- 5.0-CURRENT -- *not* vulnerable

* The Problem

lubi:venglin:~> cat tescik.c
#include <ncurses.h>
main() { initscr(); }

lubi:venglin:~> cc -g -o te tescik.c -lncurses
lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'`
lubi:venglin:~> gdb ./te
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(gdb) run
Starting program: /usr/home/venglin/./te

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

--
* Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE *
* Inet: ven...@freebsd.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF *

--- End report ---


An explanation of my query - I work for Infrastructure Defense, Inc., which provides private publications to fortune 500 companies about information/computer security trends, vulnerabilities, etc. I strive to contact the appropriate parties whenever there is a question as to the veracity of a post, claim, other. Hence, my email to you.

I hope to hear from you soon.


Servio Medina - sme...@idefense.com
Information Security Analyst
www.idefense.com

>How-To-Repeat:
?
>Fix:
?

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Kris Kennaway

unread,
Apr 26, 2000, 3:00:00 AM4/26/00
to
The following reply was made to PR ports/18208; it has been noted by GNATS.

From: Kris Kennaway <kr...@FreeBSD.org>
To: sme...@idefense.com
Cc: freebsd-gn...@FreeBSD.org
Subject: Re: ports/18208: Reported Vulnerability in ncurses
Date: Wed, 26 Apr 2000 11:35:05 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----



On Tue, 25 Apr 2000 sme...@idefense.com wrote:

> The purpose of this email is twofold: 1) to inform you of a reported
> vulnerability by a third party, not myself, involving one of your
> products, and 2) to obtain confirmation/clarification and knowledge of
> any measures taken to address this in the event it is viable.

Thanks for the notification. Unfortunately the security officers only
found out about the bug at the same time the rest of the world did (when
it was announced on Bugtraq), but it was fixed in -stable as of last
night. I'm working on an advisory at present.

The impact of the bug was much less severe than the bugtraq report would
lead you to believe: it IS a security issue, but it doesn't pose a threat
to anything in the base system, and only poses a major threat to certain
badly-coded ports (the only one we know of at the moment which allows a
local root exploit is an old version of the net/mtr port, which was
already the subject of FreeBSD Advisory 00:09 and was fixed a month and
a half ago after a separate vulnerability was discovered).

For future reference, a more appropriate forum to send security concerns
is security...@FreeBSD.org which reaches the FreeBSD Security Officer
team, or secu...@freebsd.org which is a general-audience mailing list for
discussion of FreeBSD security.

Thanks for your report!

Kris

- ----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <fors...@alum.mit.edu>


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Comment: Made with pgp4pine 1.74
Charset: noconv

iQCVAwUBOQc231UuHi5z0oilAQEPdAP/cqX+EKIbW0y4x2kX+A5/h/bsviYzkPQK
jyqixdhvSSwGTBC6S1wxfGNC0f6h4Wfa9JLGbl/XOk+VUF4HGvZ3Op/DdwwZXkjP
6pzpwTzgwjlyH7y3mVt4sE9dF2pzB1TWGZm0m4dXeE6v74NG0fx0YnZlD3p5ui2E
VldKF3ViPow=
=4NEC
-----END PGP SIGNATURE-----

st...@freebsd.org

unread,
Apr 29, 2000, 3:00:00 AM4/29/00
to
Synopsis: Reported Vulnerability in ncurses

Responsible-Changed-From-To: freebsd-ports->will
Responsible-Changed-By: steve
Responsible-Changed-When: Sat Apr 29 16:25:08 PDT 2000
Responsible-Changed-Why:
Over to port's maintainer.

0 new messages