Bug#914301: tmux: CVE-2018-19387: NULL Pointer Dereference in format_cb_pane_tabs in format.c
On Fri, Nov 23, 2018 at 1:06 PM Salvatore Bonaccorso wrote: > Oh well I see, yes then it was not very helpful from my side. Sorry. > Yes you are right. I understand now and as well your concerns on my > report. Given upstream did adress it as such, could you contact > upstream to see what's their take on this? Okay, I asked and upstream says this is not a security issue: https://github.com/tmux/tmux/issues/1547#issuecomment-441228660
Bug#914301: tmux: CVE-2018-19387: NULL Pointer Dereference in format_cb_pane_tabs in format.c
Hi Romain, [Adding Moritz to CC] On Fri, Nov 23, 2018 at 12:33:26PM +0100, Romain Francoise wrote: > Hi Salvatore, > > On Thu, Nov 22, 2018 at 9:53 PM Salvatore Bonaccorso > wrote: > > The "attack" scenario described as follows, that an attacker can cause > > a denial of service (tmux crash) by "by arranging for a malloc > > failure" triggering the issue in format_cb_pane_tabs in format.c > > > > Does this helps? > > Not really, because the proposed fix just calls fatal() on allocation > failure so tmux will crash anyway. Someone must have thought that the > failure was exploitable in some way, and it's not clear to me which. > > Thanks anyway! Oh well I see, yes then it was not very helpful from my side. Sorry. Yes you are right. I understand now and as well your concerns on my report. Given upstream did adress it as such, could you contact upstream to see what's their take on this? Regards, Salvatore
Bug#914301: tmux: CVE-2018-19387: NULL Pointer Dereference in format_cb_pane_tabs in format.c
Hi Salvatore, On Thu, Nov 22, 2018 at 9:53 PM Salvatore Bonaccorso wrote: > The "attack" scenario described as follows, that an attacker can cause > a denial of service (tmux crash) by "by arranging for a malloc > failure" triggering the issue in format_cb_pane_tabs in format.c > > Does this helps? Not really, because the proposed fix just calls fatal() on allocation failure so tmux will crash anyway. Someone must have thought that the failure was exploitable in some way, and it's not clear to me which. Thanks anyway!
Bug#914301: tmux: CVE-2018-19387: NULL Pointer Dereference in format_cb_pane_tabs in format.c
Hi Romain, On Thu, Nov 22, 2018 at 06:26:59PM +0100, Romain Francoise wrote: > Hi Salvatore, > > On Wed, Nov 21, 2018 at 8:57 PM Salvatore Bonaccorso > wrote: > > The following vulnerability was published for tmux, the security > > impact is disputable, but just filling this bug for tracking a future > > fix. > > Thanks for the report. Do you know who assigned the CVE id and what > their reasons were? Also, who noted that there is no security impact > in the tracker (if that is really the case I'd rather just close this > bug). The CVE was assigned by the MITRE CNA itself, but unclear who requested it. Regarding the tracker: that was me and Moritz, but I filled this bug explicitly for trackability of the commit[1] so I can update the fixed version once it will land in a release. This is as well the reason why it is marked 'unimportant' to indicate there is no realy (or there is a negligable) security impact (as well why it is just as minor severity). So the bug can just be closed as soon [1] lands in an update. The "attack" scenario described as follows, that an attacker can cause a denial of service (tmux crash) by "by arranging for a malloc failure" triggering the issue in format_cb_pane_tabs in format.c Does this helps? Regards, Salvatore [1] https://github.com/tmux/tmux/commit/749f67b7d801eed03345fef9c04206fbd079c3cb
Bug#914301: tmux: CVE-2018-19387: NULL Pointer Dereference in format_cb_pane_tabs in format.c
Hi Salvatore, On Wed, Nov 21, 2018 at 8:57 PM Salvatore Bonaccorso wrote: > The following vulnerability was published for tmux, the security > impact is disputable, but just filling this bug for tracking a future > fix. Thanks for the report. Do you know who assigned the CVE id and what their reasons were? Also, who noted that there is no security impact in the tracker (if that is really the case I'd rather just close this bug). Regards, -r
Bug#914301: tmux: CVE-2018-19387: NULL Pointer Dereference in format_cb_pane_tabs in format.c
Source: tmux Version: 2.8-1 Severity: minor Tags: patch security upstream Forwarded: https://github.com/tmux/tmux/issues/1547 Hi, The following vulnerability was published for tmux, the security impact is disputable, but just filling this bug for tracking a future fix. CVE-2018-19387[0]: | format_cb_pane_tabs in format.c in tmux 2.7 through 2.8 might allow | attackers to cause a denial of service (NULL Pointer Dereference and | application crash) by arranging for a malloc failure. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19387 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19387 [1] https://github.com/tmux/tmux/issues/1547 [2] https://github.com/tmux/tmux/commit/749f67b7d801eed03345fef9c04206fbd079c3cb Regards, Salvatore