CVE-2023-29491

Published: 14 April 2023

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

Notes

upstream commit has miscellaneous changes besides the
security fix.

TODO: investigate why ncurses is built without
"with_root_environ=no" build option, that should be the default
going forward to prevent these types of issues.

applying the upstream patch of ncurses that fixes this issue to
focal and earlier would have been too intrusive, since changes
such as the various made by commit 790a85db were not present in
their versions of this package. Setting the
--disable-root-environ option with a few additional changes to
the code (as done by Debian in version 6.4-3 of the package)
allows us to mitigate this issue and avoid other issues that
involve the possibility of malicious use of environment
variables through setuid applications, and, therefore, it was
the fix chosen in order to resolve this vulnerability.

Status

Severity score breakdown

References

• https://invisible-island.net/ncurses/NEWS.html#index-t20230408
• https://www.openwall.com/lists/oss-security/2023/04/13/4
• https://www.openwall.com/lists/oss-security/2023/04/12/5
• https://ubuntu.com/security/notices/USN-6099-1
• https://www.cve.org/CVERecord?id=CVE-2023-29491
• NVD
• Launchpad
• Debian

Bugs

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372