Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.7241 ncurses security update 4 December 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ncurses Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2023-29491 CVE-2021-39537 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html Comment: CVSS (Max): 8.8 CVE-2021-39537 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: NIST Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3682-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 03, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : ncurses Version : 6.1+20181013-2+deb10u5 CVE ID : CVE-2021-39537 CVE-2023-29491 Debian Bug : 1034372 Issues were found in ncurses, a collection of shared libraries for terminal handling, which could lead to denial of service. CVE-2021-39537 It has been discovered that the tic(1) utility is susceptible to a heap overflow on crafted input due to improper bounds checking. CVE-2023-29491 Jonathan Bar Or, Michael Pearse and Emanuele Cozzi have discovered that when ncurses is used by a setuid application, a local user can trigger security-relevant memory corruption via malformed data in a terminfo database file found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variables. In order to mitigate this issue, ncurses now further restricts programs running with elevated privileges (setuid/setgid programs). Programs run by the superuser remain able to load custom terminfo entries. This change aligns ncurses' behavior in buster-security with that of Debian Bullseye's latest point release (6.2+20201114-2+deb11u2). For Debian 10 buster, these problems have been fixed in version 6.1+20181013-2+deb10u5. We recommend that you upgrade your ncurses packages. For the detailed security status of ncurses please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ncurses Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZW03Z8kNZI30y1K9AQiSxQ//Z40aT/H/IqAlQoWscJYjpRb/W/NBTHOf 4KFx7/VGe2IXAzZosatHt9UIPY1qQ1O3mmptBU+xrRso6bMaqbwHFf21dsEmAkU2 jnguP3keNBbOYYnVKPOsQqihKP/duy3tSY5u4bub9OuHLE7JaYKFNpJtdlOJaKna xSusnea/VTCzt5BLzSSSCC4RXKgIZJhaERE9ta/P/RzWTE/uPv9BzMYywb1N47Jd HBTa+9XBDLqMAWHgK8YRT2ZpJtDXqnt0ETZZrVk0CYAsh4rkKkGVeg6a1iMzVxok G4gmO9t1EanMWFkLhBP03QcG744z+gA7EeroFX389P7BK230iyfx9HkP7DH/mT/X eymYAcASPlS5Kz6GUbBk4tp6+VJ0AO0hZMvFlBXMlG+4PIbRf//VfJA33F3IxGOz aSOxYs1vdIY0IpFTqQsHW/auzg/JgR+Y0DXED3/I/0uaVkN6F+t+zFabOFnyB+J9 6OMN+1+/FlgxIGZZgdZf+gT4Kjnled9UGsLf1nhj2CMp3sHvW15nKPMJMz6G+5qU KDN7uSJc0PmnpK5LxQe5dOSfNNdnTt+DYEVOB3++B7gTZKhmal2K6ixE2UGDw5aw 7gfY0hTSq5VyPkXoreLtys90QhjVQtG3W8IJM8ZRP6bA+OThedLXnXmbeTP7v3Or iWfIgk+6Ax8= =P7yR -----END PGP SIGNATURE-----