libtermcap's tgetent() function's bounds-checking is incomplete, which can result in a buffer overflow from a bogus termcap file. I haven't yet come across any real-world security problems resulting from this, but it should be fixed in any event. I have a patch which I can supply you with. Thanks!
fixed in errata release...