Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.7241
ncurses security update
4 December 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ncurses
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2023-29491 CVE-2021-39537
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html
Comment: CVSS (Max): 8.8 CVE-2021-39537 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: NIST
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3682-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
December 03, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ncurses
Version : 6.1+20181013-2+deb10u5
CVE ID : CVE-2021-39537 CVE-2023-29491
Debian Bug : 1034372
Issues were found in ncurses, a collection of shared libraries for
terminal handling, which could lead to denial of service.
CVE-2021-39537
It has been discovered that the tic(1) utility is susceptible to a
heap overflow on crafted input due to improper bounds checking.
CVE-2023-29491
Jonathan Bar Or, Michael Pearse and Emanuele Cozzi have discovered
that when ncurses is used by a setuid application, a local user can
trigger security-relevant memory corruption via malformed data in a
terminfo database file found in $HOME/.terminfo or reached via the
TERMINFO or TERM environment variables.
In order to mitigate this issue, ncurses now further restricts
programs running with elevated privileges (setuid/setgid programs).
Programs run by the superuser remain able to load custom terminfo
entries.
This change aligns ncurses' behavior in buster-security with that of
Debian Bullseye's latest point release (6.2+20201114-2+deb11u2).
For Debian 10 buster, these problems have been fixed in version
6.1+20181013-2+deb10u5.
We recommend that you upgrade your ncurses packages.
For the detailed security status of ncurses please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ncurses
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZW03Z8kNZI30y1K9AQiSxQ//Z40aT/H/IqAlQoWscJYjpRb/W/NBTHOf
4KFx7/VGe2IXAzZosatHt9UIPY1qQ1O3mmptBU+xrRso6bMaqbwHFf21dsEmAkU2
jnguP3keNBbOYYnVKPOsQqihKP/duy3tSY5u4bub9OuHLE7JaYKFNpJtdlOJaKna
xSusnea/VTCzt5BLzSSSCC4RXKgIZJhaERE9ta/P/RzWTE/uPv9BzMYywb1N47Jd
HBTa+9XBDLqMAWHgK8YRT2ZpJtDXqnt0ETZZrVk0CYAsh4rkKkGVeg6a1iMzVxok
G4gmO9t1EanMWFkLhBP03QcG744z+gA7EeroFX389P7BK230iyfx9HkP7DH/mT/X
eymYAcASPlS5Kz6GUbBk4tp6+VJ0AO0hZMvFlBXMlG+4PIbRf//VfJA33F3IxGOz
aSOxYs1vdIY0IpFTqQsHW/auzg/JgR+Y0DXED3/I/0uaVkN6F+t+zFabOFnyB+J9
6OMN+1+/FlgxIGZZgdZf+gT4Kjnled9UGsLf1nhj2CMp3sHvW15nKPMJMz6G+5qU
KDN7uSJc0PmnpK5LxQe5dOSfNNdnTt+DYEVOB3++B7gTZKhmal2K6ixE2UGDw5aw
7gfY0hTSq5VyPkXoreLtys90QhjVQtG3W8IJM8ZRP6bA+OThedLXnXmbeTP7v3Or
iWfIgk+6Ax8=
=P7yR
-----END PGP SIGNATURE-----