[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3682-1] ncurses security update

Debian LTS Advisory DLA-3682-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
December 03, 2023                             https://wiki.debian.org/LTS

Package        : ncurses
Version        : 6.1+20181013-2+deb10u5
CVE ID         : CVE-2021-39537 CVE-2023-29491
Debian Bug     : 1034372

Issues were found in ncurses, a collection of shared libraries for
terminal handling, which could lead to denial of service.


    It has been discovered that the tic(1) utility is susceptible to a
    heap overflow on crafted input due to improper bounds checking.


    Jonathan Bar Or, Michael Pearse and Emanuele Cozzi have discovered
    that when ncurses is used by a setuid application, a local user can
    trigger security-relevant memory corruption via malformed data in a
    terminfo database file found in $HOME/.terminfo or reached via the
    TERMINFO or TERM environment variables.

    In order to mitigate this issue, ncurses now further restricts
    programs running with elevated privileges (setuid/setgid programs).
    Programs run by the superuser remain able to load custom terminfo

    This change aligns ncurses' behavior in buster-security with that of
    Debian Bullseye's latest point release (6.2+20201114-2+deb11u2).

For Debian 10 buster, these problems have been fixed in version

We recommend that you upgrade your ncurses packages.

For the detailed security status of ncurses please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to: