CVE-2018-9240: #894724 - ncmpc: CVE-2018-9240: Crash in chat screen when another client sends a long line

Reported by: Jonathan Neuschäfer [email protected]

Date: Tue, 3 Apr 2018 14:51:05 UTC

Severity: normal

Tags: patch, security

Found in versions ncmpc/0.24-1, ncmpc/0.27-1

Fixed in version ncmpc/0.33-1

Done: Geoffroy Youri Berret [email protected]

Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to [email protected], [email protected], [email protected], [email protected], Sebastian Harl [email protected]:
Bug#894724; Package ncmpc. (Tue, 03 Apr 2018 14:51:07 GMT) (full text, mbox, link).

Acknowledgement sent to Jonathan Neuschäfer [email protected]:
New Bug report received and forwarded. Copy sent to [email protected], [email protected], [email protected], Sebastian Harl [email protected]. (Tue, 03 Apr 2018 14:51:07 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: ncmpc Version: 0.27-1 Severity: normal Tags: patch security

Hi,

Ncmpc can be crashed when the user uses the chat screen and another client sends a long chat message, due to a NULL pointer dereference.

I have a patch that fixes this for v0.27 (currently in Debian) and v0.29 (newest upstream release). The bug is fixed in upstream’s master branch.

I tagged this report as “security”-related, because the client can be crashed by the actions of another client, but I don’t think this allows anything more serious than a NULL pointer derefence (probably no RCE).

– System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, ‘testing’), (500, ‘stable’) Architecture: amd64 (x86_64) Foreign Architectures: i386, mips, armhf, armel

Kernel: Linux 4.15.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled

Versions of packages ncmpc depends on: ii libc6 2.27-2 ii libglib2.0-0 2.56.0-4 ii liblirc-client0 0.10.0-2+b1 ii libmpdclient2 2.11-1 ii libncursesw5 6.1-1 ii libtinfo5 6.1-1

ncmpc recommends no packages.

Versions of packages ncmpc suggests: ii mpd 0.20.18-1 pn ncmpc-lyrics <none>

– no debconf information

[chat-crash.patch (text/plain, attachment)]

Marked as found in versions ncmpc/0.24-1. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Tue, 03 Apr 2018 19:51:08 GMT) (full text, mbox, link).

Information forwarded to [email protected], Sebastian Harl [email protected]:
Bug#894724; Package ncmpc. (Wed, 04 Apr 2018 04:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso [email protected]:
Extra info received and forwarded to list. Copy sent to Sebastian Harl [email protected]. (Wed, 04 Apr 2018 04:57:04 GMT) (full text, mbox, link).

Message #12 received at [email protected] (full text, mbox, reply):

Control: retitle -1 ncmpc: CVE-2018-9240: Crash in chat screen when another client sends a long line

Hi Jonathan,

On Tue, Apr 03, 2018 at 04:48:23PM +0200, Jonathan Neusch??fer wrote:

I tagged this report as “security”-related, because the client can be crashed by the actions of another client, but I don’t think this allows anything more serious than a NULL pointer derefence (probably no RCE).

MITRE has assigned CVE-2018-9240 for this issue.

Regards, Salvatore

Changed Bug title to ‘ncmpc: CVE-2018-9240: Crash in chat screen when another client sends a long line’ from 'ncmpc: Crash in chat screen when another client sends a long line’. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Wed, 04 Apr 2018 04:57:04 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Florian Schlichting [email protected] to [email protected]. (Mon, 07 Jan 2019 22:45:04 GMT) (full text, mbox, link).

Reply sent to Geoffroy Youri Berret [email protected]:
You have taken responsibility. (Mon, 14 Jan 2019 22:51:03 GMT) (full text, mbox, link).

Notification sent to Jonathan Neuschäfer [email protected]:
Bug acknowledged by developer. (Mon, 14 Jan 2019 22:51:03 GMT) (full text, mbox, link).

Message #21 received at [email protected] (full text, mbox, reply):

Source: ncmpc Source-Version: 0.33-1

We believe that the bug you reported is fixed in the latest version of ncmpc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Geoffroy Youri Berret [email protected] (supplier of updated ncmpc package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Format: 1.8 Date: Mon, 07 Jan 2019 14:55:41 +0100 Source: ncmpc Binary: ncmpc ncmpc-lyrics Architecture: source amd64 all Version: 0.33-1 Distribution: unstable Urgency: medium Maintainer: mpd maintainers [email protected] Changed-By: Geoffroy Youri Berret [email protected] Description: ncmpc - ncurses-based audio player ncmpc-lyrics - ncurses-based audio player (lyrics plugins) Closes: 894724 896059 902699 916731 Changes: ncmpc (0.33-1) unstable; urgency=medium . * Enable pgpmode in watch file, add upstream signing key * New upstream release. - Fix "CVE-2018-9240 (Closes: #894724) - Fix “segfault on bad connection” (Closes: #902699) - Fix “Defaults to non-policy-compliant configuration file” (Closes: #896059) * Update standards version to 4.3.0. Update debhelper to compat 12 Update upstream Homepage * Update d/rules to build with meson. Switch from menu to XDG Desktop file * Refactored copyright (dep-5 machine-interpretable format) * Takeover for the mpd-team (Closes: #916731) * Register html manual with doc-base Checksums-Sha1: 2409c04e1484f7e85973d651eee046248824872c 2342 ncmpc_0.33-1.dsc b5bcb49069c6a89e7d05644cecda244c7da4d1be 226344 ncmpc_0.33.orig.tar.xz 32878b37a378c1a3607ae82dd789e702f41f5ef4 879 ncmpc_0.33.orig.tar.xz.asc 9aa6c7d4881bd09d0734ba700be5972cc7ed2a7c 16344 ncmpc_0.33-1.debian.tar.xz da69f11f76c636ce008f9f01a46fd0d35a2791f4 4774620 ncmpc-dbgsym_0.33-1_amd64.deb d4a341c28e6c56a8a10e49934adb612836e2c131 13932 ncmpc-lyrics_0.33-1_all.deb 94350fdccb2e4d17e2162c574d090b81f3390251 7996 ncmpc_0.33-1_amd64.buildinfo aea68d77c2b126c0f727f5e17a550b51925fd5b9 283788 ncmpc_0.33-1_amd64.deb Checksums-Sha256: 54d82f9cb50c2e1d6dd23990d132c54d46f668badccf089f4c0418c4b0f2bbb8 2342 ncmpc_0.33-1.dsc 94e04a34854015aa013b43ec15b578f4541d077cf7ae5bf7c0944475673fd7a5 226344 ncmpc_0.33.orig.tar.xz dc067705e2396cb405bba3d7a1ffdc1fa9db2787cea58476736f483ac17a5d9d 879 ncmpc_0.33.orig.tar.xz.asc a9465edb56a39a5c24421bf69471c91a884a9d7e1b60e9c29321b0f38a6592e0 16344 ncmpc_0.33-1.debian.tar.xz 41e5b71c1f7b0b3451b9774cc3a9bd271c8c0f7bda229ef6bc1b7b639375b3c6 4774620 ncmpc-dbgsym_0.33-1_amd64.deb cf30431c1dd95e4e49a6a9d12f7b22a7dfa23c4df1d14bb17309dd90b800bf04 13932 ncmpc-lyrics_0.33-1_all.deb 26b4c7c6f448cdce742ac75297a99a181b9029102b6d45c72cab5657137c9357 7996 ncmpc_0.33-1_amd64.buildinfo 613f0f8940a547191b5a026cc6749dc366dffa13a1febae69ed701ec09762927 283788 ncmpc_0.33-1_amd64.deb Files: a56902d82a975f7afcfc881cafc4a0da 2342 sound optional ncmpc_0.33-1.dsc 166394cf1ab645de219bd1d525930343 226344 sound optional ncmpc_0.33.orig.tar.xz 8b51e78d4e7aba28ac96363508837be8 879 sound optional ncmpc_0.33.orig.tar.xz.asc 42001ea07b36b52bf4359e4279386a84 16344 sound optional ncmpc_0.33-1.debian.tar.xz 59007c558ff2baec4d2d47ff4f290bfa 4774620 debug optional ncmpc-dbgsym_0.33-1_amd64.deb eb0c101afb516168b2d4addcff15c8c7 13932 sound optional ncmpc-lyrics_0.33-1_all.deb a4128e12201e33eb9189ed6d53c470b5 7996 sound optional ncmpc_0.33-1_amd64.buildinfo 9e0587783ce1078e0d863904842c9a3d 283788 sound optional ncmpc_0.33-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAlwzzDYACgkQEpc7bnLc B7WroQ/7B1rWidi4Pn21bC/4qSk/VCeceTGqeiuC4nM3mqk5H7F09fnWqQ7WuzYe Biay54BSGQKEuqk9XY948gF5ytxgHh6WPz7ngDwTlDn/7n83ix1mukQs3+u2EbXb 5mCS6SYuJKMrGOKV9caQIHoXOym4HTnKnUclZjC0YEJ0G7jNLu5spk8954bfoKb1 FeaqHWb8jJie7bqph4ES6+annR67L5NJWVNlR1hdiWPIeDy3ZWSoSMIVEHgsfCGm MML1M6R7YO3sPz5uNvwWtNrm7DooVUZRJ/LCpkb8y4zsVUulK7LXTle2DnRFjxnX C/b91/yVfe6skYfw1zPuRpqDSKZBEIuLXXCtvgpnl4RAeqBcEjnv08BG4uZ6VOpE DBF7xmpVv9t5kA4HJk0UheUuFbJ4eK2QTBs/98GXeg+FIpaJKIkxu/+QcplvLqUA snxHR2AloOFH+MiKn07at7uTwLJlXQE3i0dbIxbdLoKbsoiVlXdkOOZn8q4Q4uNC yD4yx09hT4xt4rUt6pTtVSyUtE4OebrUtutwAg4KNudFPbZ4T6kbr62MnXG/ZFiY uQwPXhOBCsb6NCSCqlbgVV76x9bJVqvQoUIerCyCoabnaasBDj40FdlHyQjhaid1 RnfjbjohB89iO21S1OjcN74RNxQKGhnV6MfsHsosyMM5laob4Vk= =OJrE -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request [email protected] to [email protected]. (Mon, 18 Feb 2019 07:26:42 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Fri Jan 20 15:32:35 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.