ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c. https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html https://security.netapp.com/advisory/ntap-20240315-0006/
I don't see the security impact here. terminfo files are trusted like executables. If an attacker can supply their own terminfo file, they can always prevent the application from working correctly.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:5107 https://access.redhat.com/errata/RHSA-2024:5107
This issue is also affecting the RedHat UBI images. Currently checked in latest images in * ubi8: https://catalog.redhat.com/software/containers/ubi8/ubi/5c359854d70cc534b3a3784e contains: ncurses 6.1-10.20180224 * ubi9: https://catalog.redhat.com/software/containers/ubi9/ubi/615bcf606feffc5384e8452e contains: ncurses 6.2-10.20210508 The UBI images are not listed in the Affected Products in the CVE - https://access.redhat.com/security/cve/CVE-2023-45918. But as they are based on the RHEL, I am guessing there won't be any patch for ubi8 image ('cause ubi8 is based on RHEL8 - which is mentioned as Won't Fix in the CVE) But perhaps ubi9 a patch will be released when the RHEL9 patch is created. Is this understanding correct ? Thank you