CVE-2023-29491
Published: 14 April 2023
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
Notes
| Author | Note |
|---|---|
| rodrigo-zaiden | upstream commit has miscellaneous changes besides the security fix. |
| mdeslaur | TODO: investigate why ncurses is built without "with_root_environ=no" build option, that should be the default going forward to prevent these types of issues. |
| ccdm94 | applying the upstream patch of ncurses that fixes this issue to focal and earlier would have been too intrusive, since changes such as the various made by commit 790a85db were not present in their versions of this package. Setting the --disable-root-environ option with a few additional changes to the code (as done by Debian in version 6.4-3 of the package) allows us to mitigate this issue and avoid other issues that involve the possibility of malicious use of environment variables through setuid applications, and, therefore, it was the fix chosen in order to resolve this vulnerability. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ncurses Launchpad, Ubuntu, Debian |
bionic |
Released
(6.1-1ubuntu1.18.04.1)
|
| focal |
Released
(6.2-0ubuntu2.1)
|
|
| jammy |
Released
(6.3-2ubuntu0.1)
|
|
| kinetic |
Released
(6.3+20220423-2ubuntu0.1)
|
|
| lunar |
Released
(6.4-2ubuntu0.1)
|
|
| trusty |
Released
(5.9+20140118-1ubuntu1+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(6.4-3, 6.4+20230408)
|
|
| xenial |
Released
(6.0+20160213-1ubuntu1+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
Patches: upstream: http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29491
- https://invisible-island.net/ncurses/NEWS.html#index-t20230408
- https://www.openwall.com/lists/oss-security/2023/04/13/4
- https://www.openwall.com/lists/oss-security/2023/04/12/5
- https://ubuntu.com/security/notices/USN-6099-1
- NVD
- Launchpad
- Debian