Package: ncurses X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: security
Hi, the following vulnerability was published for ncurses. CVE-2017-16879[0]: | Stack-based buffer overflow in the _nc_write_entry function in | tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial | of service (application crash) or possibly execute arbitrary code via | a crafted terminfo file, as demonstrated by tic. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. I checked the PoC from [1] and looks like working in every supported Debian distro at the moment. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16879 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16879 [1] https://packetstormsecurity.com/files/download/145045/tic-overflow.tgz Please adjust the affected versions in the BTS as needed.
