CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
5.1%
ncurses before 6.4 20230408, when used by a setuid application, allows
local users to trigger security-relevant memory corruption via malformed
data in a terminfo database file that is found in $HOME/.terminfo or
reached via the TERMINFO or TERM environment variable.
Author | Note |
---|---|
rodrigo-zaiden | upstream commit has miscellaneous changes besides the security fix. |
mdeslaur | TODO: investigate why ncurses is built without “with_root_environ=no” build option, that should be the default going forward to prevent these types of issues. |
ccdm94 | applying the upstream patch of ncurses that fixes this issue to focal and earlier would have been too intrusive, since changes such as the various made by commit 790a85db were not present in their versions of this package. Setting the --disable-root-environ option with a few additional changes to the code (as done by Debian in version 6.4-3 of the package) allows us to mitigate this issue and avoid other issues that involve the possibility of malicious use of environment variables through setuid applications, and, therefore, it was the fix chosen in order to resolve this vulnerability. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | ncurses | < 6.1-1ubuntu1.18.04.1 | UNKNOWN |
ubuntu | 20.04 | noarch | ncurses | < 6.2-0ubuntu2.1 | UNKNOWN |
ubuntu | 22.04 | noarch | ncurses | < 6.3-2ubuntu0.1 | UNKNOWN |
ubuntu | 22.10 | noarch | ncurses | < 6.3+20220423-2ubuntu0.1 | UNKNOWN |
ubuntu | 23.04 | noarch | ncurses | < 6.4-2ubuntu0.1 | UNKNOWN |
ubuntu | 14.04 | noarch | ncurses | < 5.9+20140118-1ubuntu1+esm3 | UNKNOWN |
ubuntu | 16.04 | noarch | ncurses | < 6.0+20160213-1ubuntu1+esm3 | UNKNOWN |
invisible-island.net/ncurses/NEWS.html#index-t20230408
launchpad.net/bugs/cve/CVE-2023-29491
nvd.nist.gov/vuln/detail/CVE-2023-29491
security-tracker.debian.org/tracker/CVE-2023-29491
ubuntu.com/security/notices/USN-6099-1
www.cve.org/CVERecord?id=CVE-2023-29491
www.openwall.com/lists/oss-security/2023/04/12/5
www.openwall.com/lists/oss-security/2023/04/13/4