ALAS2-2019-1302

Affecting ncurses package, versions <6.0-8.20170212.amzn2.1.3

Report new vulnerabilities
medium severity
Do your applications use this vulnerable package? Test your applications

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-11113: In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. 1473310: CVE-2017-11113 ncurses: Null pointer dereference vulnerability in _nc_parse_entry function CVE-2017-11112: 1473306: CVE-2017-11112 ncurses: Illegal address access in append_acs function In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. CVE-2017-10685: 1473312: CVE-2017-10685 ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. CVE-2017-10684: In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. 1473302: CVE-2017-10684 ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c

References

CVE
ALAS2-2019-1302
Snyk ID
SNYK-AMZN2-NCURSES-509010
Published
13 Nov, 2019