Curses library vulnerable to buffer overflow

Overview

The curses library derived from System V contains a buffer overflow. A local user can execute a command that uses this library to exploit the vulnerability and gain elevated privileges.

Description

There is a buffer overflow in the curses library that could permit a local user to gain elevated privileges. Various commands will call on the libcurses library to get the term settings either from the environment variable TERM, or a command line argument.

---

Impact

A local user can gain elevated privileges.

---

Solution

Apply the appropriate patch from your vendor. See our “Systems Affected” section below.

---

Vendor Information

451275

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

SCO __ Affected

Notified: June 13, 2001 Updated: August 06, 2001

Status

Affected

Vendor Statement

Yes, the other two binaries also must be remade with the new library. We neglected to do that, and we are in the process of creating them.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are additional files (auditsh and termsh) that still need to be remade with the new library. The above vendor statement reflects the need to relink all current applications with the new library. Until these are release, a workaround would be to set permissions on the two files. All programs that use the curses library must be re-linked with this new library to take advantage of the fix. SCO OpenServer and UnixWare 7 ship with the curses library. Download and install the new files for your system as specified in the Caldera Advisory (CSSA-2001-SCO.1).

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23451275 Feedback>).

SGI __ Affected

Notified: August 06, 2001 Updated: August 08, 2001

Status

Affected

Vendor Statement

IRIX 6.5 and above is not vulnerable to the libcurses buffer overflow. It was fixed as part of bug 530675.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23451275 Feedback>).

Sun __ Affected

Notified: July 31, 2001 Updated: August 09, 2001

Status

Affected

Vendor Statement

We fixed this buffer overflow via bugID:

4313067 security: libcurses:setupterm has buffer overflow

The above bugID was patched for all affected releases:

110458-01 SunOS 5.8: libcurses patch
110459-01 SunOS 5.8_x86: libcurses patch
110070-01 SunOS 5.7: security: libcurses:setupterm has buffer overflow
110071-01 SunOS 5.7_x86: security: libcurses:setupterm has buffer overflow
105405-03 SunOS 5.6: libcurses.a & libcurses.so.1 patch
105406-03 SunOS 5.6_x86: libcurses.a & libcurses.so.1 patch
104637-04 SunOS 5.5.1: /usr/ccs/lib/libcurses.a patch
104638-04 SunOS 5.5.1_x86: /usr/ccs/lib/libcurses.a patch
110339-01 SunOS 5.5: libcurses:setupterm has buffer overflow
110341-01 SunOS 5.5_x86: libcurses:setupterm has buffer overflow
110051-01 SunOS 5.4: Patch for libcurses
110052-01 SunOS 5.4_x86: Patch for libcurses
101325-05 SunOS 5.3: jumbo fmli patch, libcurses.a

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun Microsystems: Versions of SunOS earlier than 5.8 are vulnerable. This vulnerability has been addressed as BugID 4313067. Download and install the new files for your system from Sun.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23451275 Feedback>).

Hewlett Packard __ Not Affected

Notified: August 06, 2001 Updated: August 27, 2001

Status

Not Affected

Vendor Statement

This is not an issue for HP.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23451275 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

<http://www.securitytracker.com/alerts/2001/Jun/1001825.html&gt;

Acknowledgements

This vulnerability was discovered by Kevin Finisterre and was reported to the [email protected] mailing list. Caldera/SCO has also released an advisory (CSSA-2001-SCO.1).

This document was written by Jason Rafail.

Other Information

CVE IDs:	CVE-2001-1148
Severity Metric:	0.72 Date Public: