SB2018082034 - Null pointer dereference in ncurses (Alpine package)
Published: August 20, 2018
Security Bulletin ID
SB2018082034
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Null pointer dereference (CVE-ID: CVE-2018-10754)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to improper parsing of terminfo files by the _nc_write_entry function, as defined in the tinfo/parse_entry.c source code file. A remote attacker can trick the victim into open a terminfo file that submits malicious input, trigger a NULL pointer dereference condition and cause the application to crash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=6c94a4c642c0fc71be234b0a1be81290f2c6fd54
- https://git.alpinelinux.org/aports/commit/?id=d510fa929a7f6ede654295930273de33fd0e9b15
- https://git.alpinelinux.org/aports/commit/?id=ff4efecdcffad26aa12170ab4e4b867f8f1d4c62
- https://git.alpinelinux.org/aports/commit/?id=b01bcbc9705e0ad4e6778c0a34ed376300577bbc
- https://git.alpinelinux.org/aports/commit/?id=f303e294fb206385ed1e11fd5188e7d2e6629b62