COMMAND

    ncurses

SYSTEMS AFFECTED

    Systems running ncurses-1.9.9e

PROBLEM

    There  is  a  buffer  overflow  in  ncurses  1.9.9e  and  older, a
    "terminal independant screen-painting subroutines library".

    This buffer overflow _may_ not be exploitable, since it is in  the
    main() function of  the 'move cursor'  library.  Anyway,  here are
    the technical details.

    Check lib_mvcur.c, main() function, line 1128:

        [...] (void)strcpy(tname, getenv("TERM")); [...]

    then, same thing on line 1204.

    The  TERM  environment  variable  is  copied  to  tname,  which is
    defined  as  char  tname[BUFSIZE].  Setting  TERM  to a value with
    length  higher  than  BUFSIZ  (1024)  will  result  in  a   buffer
    overflow.   All  programs  using  ncurses-1.9.9e  or  previous are
    vulnerable,  including  suid  ones.   The  other calls to 'getenv'
    seem pretty secure.

    Exploit  doesn't  exist  for  this  one  and  it  should  be quite
    difficult  since  the  overflow  occurs  in  the  main() function.
    Credit goes to Nicolas Dubee.

SOLUTION

    Copy this below to the  directory where lib_mvcur.c is, apply  the
    patch  and  rebuild  ncurses  and  any  potential target that uses
    ncurses.

        1128c1128
        <     (void) strcpy(tname, getenv("TERM"));
        ---
        >     (void) strncpy(tname, getenv("TERM"),sizeof(tname));
        1204c1204
        <           (void) strcpy(tname, getenv("TERM"));
        ---
        >           (void) strncpy(tname, getenv("TERM"),sizeof(tname));