CVE-2020-19189

NameCVE-2020-19189
DescriptionBuffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3586-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ncurses (PTS)buster6.1+20181013-2+deb10u2vulnerable
buster (security)6.1+20181013-2+deb10u5fixed
bullseye6.2+20201114-2+deb11u2fixed
bookworm6.4-4fixed
sid, trixie6.4+20240113-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ncursessourcebuster6.1+20181013-2+deb10u4DLA-3586-1
ncursessource(unstable)6.1+20191019-1

Notes

https://github.com/zjuchenyuan/fuzzpoc/blob/master/infotocap_poc5.md
Fixed in 20191012 with followups in 20191015 and 20191019 patchlevels
https://lists.gnu.org/archive/html/bug-ncurses/2019-10/index.html

Search for package or bug name: Reporting problems