Debian Bug report logs - #894724
ncmpc: CVE-2018-9240: Crash in chat screen when another client sends a long line

version graph

Package: ncmpc; Maintainer for ncmpc is mpd maintainers <pkg-mpd-maintainers@lists.alioth.debian.org>; Source for ncmpc is src:ncmpc (PTS, buildd, popcon).

Reported by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>

Date: Tue, 3 Apr 2018 14:51:05 UTC

Severity: normal

Tags: patch, security

Found in versions ncmpc/0.24-1, ncmpc/0.27-1

Fixed in version ncmpc/0.33-1

Done: Geoffroy Youri Berret <efrim@azylum.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, j.neuschaefer@gmx.net, max@musicpd.org, team@security.debian.org, Sebastian Harl <tokkee@debian.org>:
Bug#894724; Package ncmpc. (Tue, 03 Apr 2018 14:51:07 GMT) (full text, mbox, link).


Acknowledgement sent to Jonathan Neuschäfer <j.neuschaefer@gmx.net>:
New Bug report received and forwarded. Copy sent to j.neuschaefer@gmx.net, max@musicpd.org, team@security.debian.org, Sebastian Harl <tokkee@debian.org>. (Tue, 03 Apr 2018 14:51:07 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ncmpc: Crash in chat screen when another client sends a long line
Date: Tue, 03 Apr 2018 16:48:23 +0200
[Message part 1 (text/plain, inline)]
Package: ncmpc
Version: 0.27-1
Severity: normal
Tags: patch security

Hi,

Ncmpc can be crashed when the user uses the chat screen and another
client sends a long chat message, due to a NULL pointer dereference.

I have a patch that fixes this for v0.27 (currently in Debian) and v0.29
(newest upstream release). The bug is fixed in upstream's master branch.

I tagged this report as "security"-related, because the client can be
crashed by the actions of another client, but I don't think this allows
anything more serious than a NULL pointer derefence (probably no RCE).

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, mips, armhf, armel

Kernel: Linux 4.15.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ncmpc depends on:
ii  libc6            2.27-2
ii  libglib2.0-0     2.56.0-4
ii  liblirc-client0  0.10.0-2+b1
ii  libmpdclient2    2.11-1
ii  libncursesw5     6.1-1
ii  libtinfo5        6.1-1

ncmpc recommends no packages.

Versions of packages ncmpc suggests:
ii  mpd           0.20.18-1
pn  ncmpc-lyrics  <none>

-- no debconf information
[chat-crash.patch (text/plain, attachment)]

Marked as found in versions ncmpc/0.24-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 03 Apr 2018 19:51:08 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Sebastian Harl <tokkee@debian.org>:
Bug#894724; Package ncmpc. (Wed, 04 Apr 2018 04:57:04 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Sebastian Harl <tokkee@debian.org>. (Wed, 04 Apr 2018 04:57:04 GMT) (full text, mbox, link).


Message #12 received at 894724@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Jonathan Neusch??fer <j.neuschaefer@gmx.net>, 894724@bugs.debian.org
Subject: Re: Bug#894724: ncmpc: Crash in chat screen when another client sends a long line
Date: Wed, 4 Apr 2018 06:54:43 +0200
Control: retitle -1 ncmpc: CVE-2018-9240: Crash in chat screen when another client sends a long line

Hi Jonathan,

On Tue, Apr 03, 2018 at 04:48:23PM +0200, Jonathan Neusch??fer wrote:
> I tagged this report as "security"-related, because the client can be
> crashed by the actions of another client, but I don't think this allows
> anything more serious than a NULL pointer derefence (probably no RCE).

MITRE has assigned CVE-2018-9240 for this issue.

Regards,
Salvatore



Changed Bug title to 'ncmpc: CVE-2018-9240: Crash in chat screen when another client sends a long line' from 'ncmpc: Crash in chat screen when another client sends a long line'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 894724-submit@bugs.debian.org. (Wed, 04 Apr 2018 04:57:04 GMT) (full text, mbox, link).


Added tag(s) pending. Request was from Florian Schlichting <fsfs@debian.org> to control@bugs.debian.org. (Mon, 07 Jan 2019 22:45:04 GMT) (full text, mbox, link).


Reply sent to Geoffroy Youri Berret <efrim@azylum.org>:
You have taken responsibility. (Mon, 14 Jan 2019 22:51:03 GMT) (full text, mbox, link).


Notification sent to Jonathan Neuschäfer <j.neuschaefer@gmx.net>:
Bug acknowledged by developer. (Mon, 14 Jan 2019 22:51:03 GMT) (full text, mbox, link).


Message #21 received at 894724-close@bugs.debian.org (full text, mbox, reply):

From: Geoffroy Youri Berret <efrim@azylum.org>
To: 894724-close@bugs.debian.org
Subject: Bug#894724: fixed in ncmpc 0.33-1
Date: Mon, 14 Jan 2019 22:49:46 +0000
Source: ncmpc
Source-Version: 0.33-1

We believe that the bug you reported is fixed in the latest version of
ncmpc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 894724@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Geoffroy Youri Berret <efrim@azylum.org> (supplier of updated ncmpc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 07 Jan 2019 14:55:41 +0100
Source: ncmpc
Binary: ncmpc ncmpc-lyrics
Architecture: source amd64 all
Version: 0.33-1
Distribution: unstable
Urgency: medium
Maintainer: mpd maintainers <pkg-mpd-maintainers@lists.alioth.debian.org>
Changed-By: Geoffroy Youri Berret <efrim@azylum.org>
Description:
 ncmpc      - ncurses-based audio player
 ncmpc-lyrics - ncurses-based audio player (lyrics plugins)
Closes: 894724 896059 902699 916731
Changes:
 ncmpc (0.33-1) unstable; urgency=medium
 .
   * Enable pgpmode in watch file, add upstream signing key
   * New upstream release.
     - Fix "CVE-2018-9240 (Closes: #894724)
     - Fix "segfault on bad connection" (Closes: #902699)
     - Fix "Defaults to non-policy-compliant configuration
       file" (Closes: #896059)
   * Update standards version to 4.3.0.
     Update debhelper to compat 12
     Update upstream Homepage
   * Update d/rules to build with meson.
     Switch from menu to XDG Desktop file
   * Refactored copyright (dep-5 machine-interpretable format)
   * Takeover for the mpd-team (Closes: #916731)
   * Register html manual with doc-base
Checksums-Sha1:
 2409c04e1484f7e85973d651eee046248824872c 2342 ncmpc_0.33-1.dsc
 b5bcb49069c6a89e7d05644cecda244c7da4d1be 226344 ncmpc_0.33.orig.tar.xz
 32878b37a378c1a3607ae82dd789e702f41f5ef4 879 ncmpc_0.33.orig.tar.xz.asc
 9aa6c7d4881bd09d0734ba700be5972cc7ed2a7c 16344 ncmpc_0.33-1.debian.tar.xz
 da69f11f76c636ce008f9f01a46fd0d35a2791f4 4774620 ncmpc-dbgsym_0.33-1_amd64.deb
 d4a341c28e6c56a8a10e49934adb612836e2c131 13932 ncmpc-lyrics_0.33-1_all.deb
 94350fdccb2e4d17e2162c574d090b81f3390251 7996 ncmpc_0.33-1_amd64.buildinfo
 aea68d77c2b126c0f727f5e17a550b51925fd5b9 283788 ncmpc_0.33-1_amd64.deb
Checksums-Sha256:
 54d82f9cb50c2e1d6dd23990d132c54d46f668badccf089f4c0418c4b0f2bbb8 2342 ncmpc_0.33-1.dsc
 94e04a34854015aa013b43ec15b578f4541d077cf7ae5bf7c0944475673fd7a5 226344 ncmpc_0.33.orig.tar.xz
 dc067705e2396cb405bba3d7a1ffdc1fa9db2787cea58476736f483ac17a5d9d 879 ncmpc_0.33.orig.tar.xz.asc
 a9465edb56a39a5c24421bf69471c91a884a9d7e1b60e9c29321b0f38a6592e0 16344 ncmpc_0.33-1.debian.tar.xz
 41e5b71c1f7b0b3451b9774cc3a9bd271c8c0f7bda229ef6bc1b7b639375b3c6 4774620 ncmpc-dbgsym_0.33-1_amd64.deb
 cf30431c1dd95e4e49a6a9d12f7b22a7dfa23c4df1d14bb17309dd90b800bf04 13932 ncmpc-lyrics_0.33-1_all.deb
 26b4c7c6f448cdce742ac75297a99a181b9029102b6d45c72cab5657137c9357 7996 ncmpc_0.33-1_amd64.buildinfo
 613f0f8940a547191b5a026cc6749dc366dffa13a1febae69ed701ec09762927 283788 ncmpc_0.33-1_amd64.deb
Files:
 a56902d82a975f7afcfc881cafc4a0da 2342 sound optional ncmpc_0.33-1.dsc
 166394cf1ab645de219bd1d525930343 226344 sound optional ncmpc_0.33.orig.tar.xz
 8b51e78d4e7aba28ac96363508837be8 879 sound optional ncmpc_0.33.orig.tar.xz.asc
 42001ea07b36b52bf4359e4279386a84 16344 sound optional ncmpc_0.33-1.debian.tar.xz
 59007c558ff2baec4d2d47ff4f290bfa 4774620 debug optional ncmpc-dbgsym_0.33-1_amd64.deb
 eb0c101afb516168b2d4addcff15c8c7 13932 sound optional ncmpc-lyrics_0.33-1_all.deb
 a4128e12201e33eb9189ed6d53c470b5 7996 sound optional ncmpc_0.33-1_amd64.buildinfo
 9e0587783ce1078e0d863904842c9a3d 283788 sound optional ncmpc_0.33-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAlwzzDYACgkQEpc7bnLc
B7WroQ/7B1rWidi4Pn21bC/4qSk/VCeceTGqeiuC4nM3mqk5H7F09fnWqQ7WuzYe
Biay54BSGQKEuqk9XY948gF5ytxgHh6WPz7ngDwTlDn/7n83ix1mukQs3+u2EbXb
5mCS6SYuJKMrGOKV9caQIHoXOym4HTnKnUclZjC0YEJ0G7jNLu5spk8954bfoKb1
FeaqHWb8jJie7bqph4ES6+annR67L5NJWVNlR1hdiWPIeDy3ZWSoSMIVEHgsfCGm
MML1M6R7YO3sPz5uNvwWtNrm7DooVUZRJ/LCpkb8y4zsVUulK7LXTle2DnRFjxnX
C/b91/yVfe6skYfw1zPuRpqDSKZBEIuLXXCtvgpnl4RAeqBcEjnv08BG4uZ6VOpE
DBF7xmpVv9t5kA4HJk0UheUuFbJ4eK2QTBs/98GXeg+FIpaJKIkxu/+QcplvLqUA
snxHR2AloOFH+MiKn07at7uTwLJlXQE3i0dbIxbdLoKbsoiVlXdkOOZn8q4Q4uNC
yD4yx09hT4xt4rUt6pTtVSyUtE4OebrUtutwAg4KNudFPbZ4T6kbr62MnXG/ZFiY
uQwPXhOBCsb6NCSCqlbgVV76x9bJVqvQoUIerCyCoabnaasBDj40FdlHyQjhaid1
RnfjbjohB89iO21S1OjcN74RNxQKGhnV6MfsHsosyMM5laob4Vk=
=OJrE
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Feb 2019 07:26:42 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 05:26:49 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.