GNU ncurses
Moderate fix1 remedy
cpe:2.3:a:gnu:ncurses:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 6.5-20250322
GNU Ncurses Stack-Based Buffer Overflow Vulnerability in Tic Program
Vulnerability
Patched
A stack-based buffer overflow vulnerability has been identified in GNU Ncurses versions through 6.5-20250322. This issue arises in the 'postprocess_termcap' function within 'tinfo/parse_entry.c'. The vulnerability can be exploited locally, leading to a denial-of-service condition.
Impact
Exploitation of this vulnerability causes a stack-based buffer overflow, which can disrupt the normal operation of the program and potentially allow for arbitrary code execution.
Reproduction
The vulnerability can be reproduced by compiling Ncurses with Clang, using AddressSanitizer to detect memory errors. After compiling the program, the 'tic' command can be run with a specially crafted input file that triggers the buffer overflow. The AddressSanitizer will report the stack-buffer-overflow error, indicating that the vulnerability has been successfully exploited.
Remediation
Users are advised to upgrade to GNU Ncurses version 6.5-20250329, which addresses this vulnerability.
Added: Jun 16, 2025, 10:19 PM
Updated: Jun 16, 2025, 10:19 PM
Vulnerability Rating
Custom Algorithm
spread
7.8impact
2.5exploitability
6.0remediation
7.7relevance
0.2threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.