Published: 14 April 2023
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
upstream commit has miscellaneous changes besides the security fix.
TODO: investigate why ncurses is built without "with_root_environ=no" build option, that should be the default going forward to prevent these types of issues.
applying the upstream patch of ncurses that fixes this issue to focal and earlier would have been too intrusive, since changes such as the various made by commit 790a85db were not present in their versions of this package. Setting the --disable-root-environ option with a few additional changes to the code (as done by Debian in version 6.4-3 of the package) allows us to mitigate this issue and avoid other issues that involve the possibility of malicious use of environment variables through setuid applications, and, therefore, it was the fix chosen in order to resolve this vulnerability.
Cvss 3 Severity Score
Launchpad, Ubuntu, Debian
Severity score breakdown