AmazonALAS-2024-2412Medium: ncurses
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.8 Medium
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
0.004 Low
EPSS
Percentile
72.0%
Issue Overview:
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. (CVE-2019-17594)
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. (CVE-2019-17595)
Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19185)
Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19186)
Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19187)
Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19188)
Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19189)
Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19190)
Affected Packages:
ncurses
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update ncurses to update your system.
New Packages:
aarch64:
ncurses-6.0-8.20170212.amzn2.1.6.aarch64
ncurses-libs-6.0-8.20170212.amzn2.1.6.aarch64
ncurses-compat-libs-6.0-8.20170212.amzn2.1.6.aarch64
ncurses-c++-libs-6.0-8.20170212.amzn2.1.6.aarch64
ncurses-devel-6.0-8.20170212.amzn2.1.6.aarch64
ncurses-static-6.0-8.20170212.amzn2.1.6.aarch64
ncurses-debuginfo-6.0-8.20170212.amzn2.1.6.aarch64
i686:
ncurses-6.0-8.20170212.amzn2.1.6.i686
ncurses-libs-6.0-8.20170212.amzn2.1.6.i686
ncurses-compat-libs-6.0-8.20170212.amzn2.1.6.i686
ncurses-c++-libs-6.0-8.20170212.amzn2.1.6.i686
ncurses-devel-6.0-8.20170212.amzn2.1.6.i686
ncurses-static-6.0-8.20170212.amzn2.1.6.i686
ncurses-debuginfo-6.0-8.20170212.amzn2.1.6.i686
noarch:
ncurses-base-6.0-8.20170212.amzn2.1.6.noarch
ncurses-term-6.0-8.20170212.amzn2.1.6.noarch
src:
ncurses-6.0-8.20170212.amzn2.1.6.src
x86_64:
ncurses-6.0-8.20170212.amzn2.1.6.x86_64
ncurses-libs-6.0-8.20170212.amzn2.1.6.x86_64
ncurses-compat-libs-6.0-8.20170212.amzn2.1.6.x86_64
ncurses-c++-libs-6.0-8.20170212.amzn2.1.6.x86_64
ncurses-devel-6.0-8.20170212.amzn2.1.6.x86_64
ncurses-static-6.0-8.20170212.amzn2.1.6.x86_64
ncurses-debuginfo-6.0-8.20170212.amzn2.1.6.x86_64
Additional References
Red Hat: CVE-2019-17594, CVE-2019-17595, CVE-2020-19185, CVE-2020-19186, CVE-2020-19187, CVE-2020-19188, CVE-2020-19189, CVE-2020-19190
Mitre: CVE-2019-17594, CVE-2019-17595, CVE-2020-19185, CVE-2020-19186, CVE-2020-19187, CVE-2020-19188, CVE-2020-19189, CVE-2020-19190
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.8 Medium
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
0.004 Low
EPSS
Percentile
72.0%