Concerning a possible bug in the 'ncurses' package

[Ben Schwarz]

This email concerns a bug or security vulnerability that members of
the MOPS project (http://www.cs.berkeley.edu/~daw/mops/) have found
during a recent audit of all programs packaged with the Redhat 9 Linux
distribution. We believe that one or more of the packages maintained
by recipients of this email contain bugs that may be exploitable
(although sometimes they are just bugs that may result in unexpected
program behavior).

The specific type of bug which we have found arises from misuse of
the strncpy() function. In general there are two sources of problems:
1) off-by-one errors, where the program can write past the end
of an array bounds, and 2) unterminated strings. For example, a
safe use of strncpy():

   buf[sizeof(buf) - 1] = '\0';
   strncpy(buf, ..., sizeof(buf)-1);

and two unsafe uses:

   buf[sizeof(buf) - 1] = '\0';
   strncpy(buf, ..., sizeof(buf);

   -----------------------------

   memset(buf, 0, sizeof(buf) - 1);
   strncpy(buf, ..., sizeof(buf)-1);

In the first unsafe example, the string is null-terminated, but the
terminating character can be overwritten by the subsequence strncpy().
In the second unsafe example, memset() is used incorrectly--it needs
to be given the entire size of the buffer, not the size - 1.

We present some examples of vulnerable programs in our paper
"Model Checking An Entire Linux Distribution for Security Violations"
which can be found at
http://www.cs.berkeley.edu/~bschwarz/paper/mc-redhat.pdf.
Section 3.4 is dedicated to this specific type of bug.

Our suggestion for fixing these bugs is to make sure all code
which uses strncpy() follows a safe idiom, such as the one presented
above.

The maintainers of this package can find the interactive program
traces at https://taverner.cs.berkeley.edu/traces/strncpy/
A program trace consists of a series statements that caused the program
to reach a state where we believe malicious behavior can occur. One can
navigate the program code by clicking on transitions (two program states
separated by a '->') in the leftmost pane to see the program behavior
that caused our modelchecker to reach its final state.
For this specific bug, transitions to the final "bug" state will occur
when the modelchecker has detected a use of strncpy() that does not follow
a safe idiom. We have manually audited these traces to verify the
presence of bugs.

At this end of this email is a more detailed description of where the bug
can be found. Any questions about this specific bug can be directed to
address@hidden

----------------------------

URL with program traces for this package:
https://taverner.cs.berkeley.edu/traces/strncpy/ncurses4-5.0-11/HTMLtrace/tic/strncpy/index.html

Programs with bugs:
tic (comp_error.c line 58)

We believe 'name' can be of length MAX_NAME_SIZE + 1,  so the string
is not guaranteed to be terminated.