Bug 2300290 (CVE-2023-45918)

Summary: CVE-2023-45918 ncurses: NULL pointer dereference in tgetstr in tinfo/lib_termcap.c
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmason, bpg168g, jorton, mlichvar, prodsec-dev
Target Milestone: ---Keywords: Security
Target Release: ---Flags: jorton: needinfo? (ahanwate)
bpg168g: needinfo? (prodsec-dev)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ncurses. Affected versions of this package contain a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2300292, 2300293    
Bug Blocks:    

Description Avinash Hanwate 2024-07-29 06:55:03 UTC 
ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.

https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html
https://security.netapp.com/advisory/ntap-20240315-0006/
Comment 1 Miroslav Lichvar 2024-07-29 07:11:39 UTC 
I don't see the security impact here. terminfo files are trusted like executables. If an attacker can supply their own terminfo file, they can always prevent the application from working correctly.
Comment 3 errata-xmlrpc 2024-08-13 09:55:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:5107 https://access.redhat.com/errata/RHSA-2024:5107
Comment 4 Guruprasad Bhat 2024-09-04 18:22:16 UTC 
This issue is also affecting the RedHat UBI images.

Currently checked in latest images in
* ubi8: https://catalog.redhat.com/software/containers/ubi8/ubi/5c359854d70cc534b3a3784e
contains: ncurses 6.1-10.20180224

* ubi9: https://catalog.redhat.com/software/containers/ubi9/ubi/615bcf606feffc5384e8452e
contains: ncurses 6.2-10.20210508


The UBI images are not listed in the Affected Products in the CVE - https://access.redhat.com/security/cve/CVE-2023-45918.
But as they are based on the RHEL,

I am guessing there won't be any patch for ubi8 image ('cause ubi8 is based on RHEL8 - which is mentioned as Won't Fix in the CVE)
But perhaps ubi9 a patch will be released when the RHEL9 patch is created. Is this understanding correct ?

Thank you