Bug 2191704 (CVE-2023-29491)

Summary: CVE-2023-29491 ncurses: Local users can trigger security-relevant memory corruption via malformed data
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, bdettelb, caswilli, dffrench, dkuc, fjansen, gzaronik, jburrell, jmitchel, jobaror, jtanner, kaycoth, kshier, mlichvar, ngough, nweather, rgodfrey, stcannon, yguenane, yhuang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in ncurses and occurs when used by a setuid application. This flaw allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2192456, 2192457, 2192458, 2192459, 2257956    
Bug Blocks: 2191705    

Description Pedro Sampaio 2023-04-28 20:47:45 UTC 
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

https://www.openwall.com/lists/oss-security/2023/04/13/4
https://www.openwall.com/lists/oss-security/2023/04/12/5
http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
http://www.openwall.com/lists/oss-security/2023/04/19/10
http://www.openwall.com/lists/oss-security/2023/04/19/11
Comment 9 Miroslav Lichvar 2023-08-15 14:48:06 UTC 
*** Bug 2186313 has been marked as a duplicate of this bug. ***
Comment 11 errata-xmlrpc 2023-09-19 14:01:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5249 https://access.redhat.com/errata/RHSA-2023:5249
Comment 12 Catherine_H 2023-09-27 08:46:51 UTC 
Hi Team,

Customer reported this CVE affected many openjdk images like ubi8/openjdk-17:1.16-2, ubi8/openjdk-8-runtime:1.16-2. Do we have a plan to fix the CVE in this image?
Any update will be appreciated.

Image: 
https://catalog.redhat.com/software/containers/ubi8/openjdk-17/618bdbf34ae3739687568813?tag=1.16-2&push_date=1690216094000
https://catalog.redhat.com/software/containers/ubi8/openjdk-8-runtime/6048ed07dbb14c0b8248bdc4?tag=1.16-2&push_date=1690216094000

Best Regards,
Catherine
Comment 14 errata-xmlrpc 2023-11-07 08:22:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6698 https://access.redhat.com/errata/RHSA-2023:6698
Comment 15 errata-xmlrpc 2023-11-21 10:20:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7361 https://access.redhat.com/errata/RHSA-2023:7361
Comment 18 Nick Tait 2024-01-11 19:06:28 UTC 
Created ncurses tracking bugs for this issue:

Affects: fedora-all [bug 2257956]
Comment 19 errata-xmlrpc 2024-01-24 16:47:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0416 https://access.redhat.com/errata/RHSA-2024:0416