There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
Created ncurses tracking bugs for this issue:
Affects: fedora-all [bug 1766746]
Upstream patch for this issue:
Author: Thomas E. Dickey <email@example.com>
Date: Sun Oct 13 01:25:51 2019 +0000
ncurses 6.1 - patch 20191012
+ amend recent changes to ncurses*-config and pc-files to filter out
Debian linker-flags (report by Sven Joachim, cf: 20150516).
+ clarify relationship between tic, infocmp and captoinfo in manpage.
+ check for invalid hashcode in _nc_find_type_entry and
> fix several errata in tic (reports/testcases by "zjuchenyuan"):
+ check for invalid hashcode in _nc_find_entry.
+ check for missing character after backslash in fmt_entry
+ check for acsc with odd length in dump_entry in check for one-one
mapping (cf: 20060415);
+ check length when converting from old AIX box_chars_1 capability,
overlooked in changes to eliminate strcpy (cf: 20001007).
+ amend the ncurses*-config and pc-files to take into account the rpath
There's an issue with ncurses when parsing terminal capabilities information files (terminfo files). The capabilities names are kept in a hash table, during the parsing ncurses try to match names found at the terminfo file with those hashed entries from its internal tables in function _nc_find_entry(). However some strings may cause the hash algorithm to overflow and generate invalid hash tags which are further used to walk over the related hash table returning invalid data, which will be further used to retrieve data from captables residing into process's heap. An attacker may take advantage of this weakness by crafting a terminfo file which may trigger the bug, resulting in low confidentiality, low integrity and low availability impact as depicted bellow:
Low confidentiality: The heap overflow causes out-of-bounds read which may expose some chunks of data contained on the task's heap;
Low integrity: Eventually the overflow could result in memory corruption of some bytes contained on the heap;
Low availability: The overflow may cause invalid memory access leading to segmentation fault causing DoS, however only the single run for this single user will be affected.
Is there any steps to reproduce this issue or for mitigation?
In reply to comment #9:
> Hi Marco,
> Is there any steps to reproduce this issue or for mitigation?
Sorry about the delay. Unfortunately the only possible mitigation for this issue is avoiding to manipulate terminfo files from untrusted sources.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2021:4426 https://access.redhat.com/errata/RHSA-2021:4426