There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. Reference: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html
Created ncurses tracking bugs for this issue: Affects: fedora-all [bug 1766618]
Upstream commit for this issue: https://github.com/mirror/ncurses/commit/b025434573f466efe27862656a6a9d41dd2bd609 ncurses 6.1 - patch 20191012 + amend recent changes to ncurses*-config and pc-files to filter out Debian linker-flags (report by Sven Joachim, cf: 20150516). + clarify relationship between tic, infocmp and captoinfo in manpage. + check for invalid hashcode in _nc_find_type_entry and _nc_find_name_entry. > fix several errata in tic (reports/testcases by "zjuchenyuan"): + check for invalid hashcode in _nc_find_entry. + check for missing character after backslash in fmt_entry + check for acsc with odd length in dump_entry in check for one-one mapping (cf: 20060415); + check length when converting from old AIX box_chars_1 capability, overlooked in changes to eliminate strcpy (cf: 20001007). + amend the ncurses*-config and pc-files to take into account the rpath
There's an issue with ncurses library when using infotocap tool to read and dump terminal capabilities from terminfo files. A termeinfo file is a database which described terminal capabilities and screen operations used by several screen-oriented programs. When dumping terminfo data, infotocap parses the input file but misses to check NULL byte terminators on some scenarios leading to a heap-based buffer overflow by reading extra bytes beyond the allocated buffer. An attack may leverage this by crafting a special terminfo input file leading the application to crash, thus causing DoS, to dump extra bytes from heap causing a low confidentiality impact.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4426 https://access.redhat.com/errata/RHSA-2021:4426