Bug 2006978 (CVE-2021-39537)

Summary: CVE-2021-39537 ncurses: heap-based buffer overflow in _nc_captoinfo() in captoinfo.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adudiak, aprice, bdettelb, caswilli, derrick.roach.ctr, dfreiber, dnakabaa, doconnor, drow, fjansen, hkataria, jburrell, jdobes, jkoehler, jmitchel, joehler, jsamir, jvasik, jwong, kaycoth, kshier, lcouzens, lphiri, mlichvar, mskarbek, oezr, orabin, rblanco, sthirugn, teagle, vkrizan, vkumar, vmugicag, yjog
Target Milestone: ---Keywords: Security
Target Release: ---Flags: devthomp: needinfo-
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ncurses 6.2.2 Doc Type: No Doc Update
Doc Text:
A heap overflow vulnerability has been identified in the ncurses package, particularly in the "tic". This flaw results from a lack of proper bounds checking during input processing. By exploiting this boundary error, an attacker can create a malicious file, deceive the victim into opening it using the affected software, and initiate an out-of-bounds write, potentially impacting system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2007372, 2007373, 2007374, 2007620, 2007633, 2007637, 2007638    
Bug Blocks: 2006979    

Description Guilherme de Almeida Suckevicz 2021-09-22 18:47:17 UTC 
An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.

Reference:
https://lists.gnu.org/archive/html/bug-ncurses/2020-08/msg00006.html
Comment 3 devthomp 2021-09-23 18:05:20 UTC 
full patch with fix:
https://github.com/mirror/ncurses/commit/790a85dbd4a81d5f5d8dd02a44d84f01512ef443#diff-7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340

Of note:
+ add a check for end-of-string in cvtchar to handle a malformed
  string in infotocap (report/testcase by "puppet-meteor").
Comment 4 juneau 2021-09-24 12:39:24 UTC 
Marking managed services affected/delegated. Code is present but impact is moderate.