ncurses Buffer Overflow Vulnerability in infocmp Utility Allows Denial-of-Service

A stack buffer overflow vulnerability has been identified in the ncurses library versions 6.4 and 6.5 prior to the 20251213 patch. The issue arises in the infocmp utility, specifically within the analyze_string function in progs/infocmp.c. When the infocmp command is run with the '-i' option, it analyzes certain initialization and reset-related capabilities in terminfo entries. The function copies unvalidated parameter substrings into a fixed-size stack buffer, leading to a stack smash. This vulnerability can cause a local denial-of-service by crashing the infocmp tool.

Impact

Exploitation of this vulnerability causes a stack buffer overflow, leading to a crash of the infocmp tool. However, this vulnerability could potentially be exploited to execute arbitrary code under the privileges of the user running the infocmp command.

Reproduction

The vulnerability can be reproduced by compiling ncurses with AddressSanitizer enabled, creating a crafted terminfo entry that exploits the buffer overflow, and then using the infocmp command to analyze the malicious terminfo entry.

Remediation

Users can upgrade to ncurses version 6.5 with the 20251213 patch applied to address this vulnerability.