Security update for ncurses SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0159-1 Final 1 1 2018-01-20T13:11:04Z current 2018-01-20T13:11:04Z 2018-01-20T13:11:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ncurses This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-01/msg00062.html E-Mail link for openSUSE-SU-2018:0159-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 libncurses5-5.9-62.1 libncurses5-32bit-5.9-62.1 libncurses6-5.9-62.1 libncurses6-32bit-5.9-62.1 ncurses-5.9-62.1 ncurses-devel-5.9-62.1 ncurses-devel-32bit-5.9-62.1 ncurses-utils-5.9-62.1 tack-5.9-62.1 terminfo-5.9-62.1 terminfo-base-5.9-62.1 libncurses5-5.9-62.1 as a component of openSUSE Leap 42.2 libncurses5-32bit-5.9-62.1 as a component of openSUSE Leap 42.2 libncurses6-5.9-62.1 as a component of openSUSE Leap 42.2 libncurses6-32bit-5.9-62.1 as a component of openSUSE Leap 42.2 ncurses-5.9-62.1 as a component of openSUSE Leap 42.2 ncurses-devel-5.9-62.1 as a component of openSUSE Leap 42.2 ncurses-devel-32bit-5.9-62.1 as a component of openSUSE Leap 42.2 ncurses-utils-5.9-62.1 as a component of openSUSE Leap 42.2 tack-5.9-62.1 as a component of openSUSE Leap 42.2 terminfo-5.9-62.1 as a component of openSUSE Leap 42.2 terminfo-base-5.9-62.1 as a component of openSUSE Leap 42.2 libncurses5-5.9-62.1 as a component of openSUSE Leap 42.3 libncurses5-32bit-5.9-62.1 as a component of openSUSE Leap 42.3 libncurses6-5.9-62.1 as a component of openSUSE Leap 42.3 libncurses6-32bit-5.9-62.1 as a component of openSUSE Leap 42.3 ncurses-5.9-62.1 as a component of openSUSE Leap 42.3 ncurses-devel-5.9-62.1 as a component of openSUSE Leap 42.3 ncurses-devel-32bit-5.9-62.1 as a component of openSUSE Leap 42.3 ncurses-utils-5.9-62.1 as a component of openSUSE Leap 42.3 tack-5.9-62.1 as a component of openSUSE Leap 42.3 terminfo-5.9-62.1 as a component of openSUSE Leap 42.3 terminfo-base-5.9-62.1 as a component of openSUSE Leap 42.3 There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack. CVE-2017-13728 openSUSE Leap 42.2:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses5-5.9-62.1 openSUSE Leap 42.2:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses6-5.9-62.1 openSUSE Leap 42.2:ncurses-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-5.9-62.1 openSUSE Leap 42.2:ncurses-utils-5.9-62.1 openSUSE Leap 42.2:tack-5.9-62.1 openSUSE Leap 42.2:terminfo-5.9-62.1 openSUSE Leap 42.2:terminfo-base-5.9-62.1 openSUSE Leap 42.3:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses5-5.9-62.1 openSUSE Leap 42.3:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses6-5.9-62.1 openSUSE Leap 42.3:ncurses-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-5.9-62.1 openSUSE Leap 42.3:ncurses-utils-5.9-62.1 openSUSE Leap 42.3:tack-5.9-62.1 openSUSE Leap 42.3:terminfo-5.9-62.1 openSUSE Leap 42.3:terminfo-base-5.9-62.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00062.html https://www.suse.com/security/cve/CVE-2017-13728.html CVE-2017-13728 https://bugzilla.suse.com/1056136 SUSE Bug 1056136 https://bugzilla.suse.com/1069530 SUSE Bug 1069530 https://bugzilla.suse.com/1115932 SUSE Bug 1115932 https://bugzilla.suse.com/1123132 SUSE Bug 1123132 https://bugzilla.suse.com/1175501 SUSE Bug 1175501 There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack. CVE-2017-13729 openSUSE Leap 42.2:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses5-5.9-62.1 openSUSE Leap 42.2:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses6-5.9-62.1 openSUSE Leap 42.2:ncurses-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-5.9-62.1 openSUSE Leap 42.2:ncurses-utils-5.9-62.1 openSUSE Leap 42.2:tack-5.9-62.1 openSUSE Leap 42.2:terminfo-5.9-62.1 openSUSE Leap 42.2:terminfo-base-5.9-62.1 openSUSE Leap 42.3:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses5-5.9-62.1 openSUSE Leap 42.3:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses6-5.9-62.1 openSUSE Leap 42.3:ncurses-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-5.9-62.1 openSUSE Leap 42.3:ncurses-utils-5.9-62.1 openSUSE Leap 42.3:tack-5.9-62.1 openSUSE Leap 42.3:terminfo-5.9-62.1 openSUSE Leap 42.3:terminfo-base-5.9-62.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00062.html https://www.suse.com/security/cve/CVE-2017-13729.html CVE-2017-13729 https://bugzilla.suse.com/1056132 SUSE Bug 1056132 https://bugzilla.suse.com/1069530 SUSE Bug 1069530 https://bugzilla.suse.com/1115932 SUSE Bug 1115932 https://bugzilla.suse.com/1123132 SUSE Bug 1123132 https://bugzilla.suse.com/1175501 SUSE Bug 1175501 There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack. CVE-2017-13730 openSUSE Leap 42.2:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses5-5.9-62.1 openSUSE Leap 42.2:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses6-5.9-62.1 openSUSE Leap 42.2:ncurses-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-5.9-62.1 openSUSE Leap 42.2:ncurses-utils-5.9-62.1 openSUSE Leap 42.2:tack-5.9-62.1 openSUSE Leap 42.2:terminfo-5.9-62.1 openSUSE Leap 42.2:terminfo-base-5.9-62.1 openSUSE Leap 42.3:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses5-5.9-62.1 openSUSE Leap 42.3:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses6-5.9-62.1 openSUSE Leap 42.3:ncurses-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-5.9-62.1 openSUSE Leap 42.3:ncurses-utils-5.9-62.1 openSUSE Leap 42.3:tack-5.9-62.1 openSUSE Leap 42.3:terminfo-5.9-62.1 openSUSE Leap 42.3:terminfo-base-5.9-62.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00062.html https://www.suse.com/security/cve/CVE-2017-13730.html CVE-2017-13730 https://bugzilla.suse.com/1056131 SUSE Bug 1056131 https://bugzilla.suse.com/1069530 SUSE Bug 1069530 https://bugzilla.suse.com/1115932 SUSE Bug 1115932 https://bugzilla.suse.com/1123132 SUSE Bug 1123132 https://bugzilla.suse.com/1175501 SUSE Bug 1175501 There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack. CVE-2017-13731 openSUSE Leap 42.2:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses5-5.9-62.1 openSUSE Leap 42.2:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses6-5.9-62.1 openSUSE Leap 42.2:ncurses-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-5.9-62.1 openSUSE Leap 42.2:ncurses-utils-5.9-62.1 openSUSE Leap 42.2:tack-5.9-62.1 openSUSE Leap 42.2:terminfo-5.9-62.1 openSUSE Leap 42.2:terminfo-base-5.9-62.1 openSUSE Leap 42.3:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses5-5.9-62.1 openSUSE Leap 42.3:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses6-5.9-62.1 openSUSE Leap 42.3:ncurses-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-5.9-62.1 openSUSE Leap 42.3:ncurses-utils-5.9-62.1 openSUSE Leap 42.3:tack-5.9-62.1 openSUSE Leap 42.3:terminfo-5.9-62.1 openSUSE Leap 42.3:terminfo-base-5.9-62.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00062.html https://www.suse.com/security/cve/CVE-2017-13731.html CVE-2017-13731 https://bugzilla.suse.com/1056129 SUSE Bug 1056129 https://bugzilla.suse.com/1069530 SUSE Bug 1069530 https://bugzilla.suse.com/1115932 SUSE Bug 1115932 https://bugzilla.suse.com/1123132 SUSE Bug 1123132 https://bugzilla.suse.com/1175501 SUSE Bug 1175501 There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack. CVE-2017-13732 openSUSE Leap 42.2:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses5-5.9-62.1 openSUSE Leap 42.2:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses6-5.9-62.1 openSUSE Leap 42.2:ncurses-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-5.9-62.1 openSUSE Leap 42.2:ncurses-utils-5.9-62.1 openSUSE Leap 42.2:tack-5.9-62.1 openSUSE Leap 42.2:terminfo-5.9-62.1 openSUSE Leap 42.2:terminfo-base-5.9-62.1 openSUSE Leap 42.3:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses5-5.9-62.1 openSUSE Leap 42.3:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses6-5.9-62.1 openSUSE Leap 42.3:ncurses-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-5.9-62.1 openSUSE Leap 42.3:ncurses-utils-5.9-62.1 openSUSE Leap 42.3:tack-5.9-62.1 openSUSE Leap 42.3:terminfo-5.9-62.1 openSUSE Leap 42.3:terminfo-base-5.9-62.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00062.html https://www.suse.com/security/cve/CVE-2017-13732.html CVE-2017-13732 https://bugzilla.suse.com/1056128 SUSE Bug 1056128 https://bugzilla.suse.com/1069530 SUSE Bug 1069530 https://bugzilla.suse.com/1115932 SUSE Bug 1115932 https://bugzilla.suse.com/1123132 SUSE Bug 1123132 https://bugzilla.suse.com/1175501 SUSE Bug 1175501 There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack. CVE-2017-13733 openSUSE Leap 42.2:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses5-5.9-62.1 openSUSE Leap 42.2:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.2:libncurses6-5.9-62.1 openSUSE Leap 42.2:ncurses-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.2:ncurses-devel-5.9-62.1 openSUSE Leap 42.2:ncurses-utils-5.9-62.1 openSUSE Leap 42.2:tack-5.9-62.1 openSUSE Leap 42.2:terminfo-5.9-62.1 openSUSE Leap 42.2:terminfo-base-5.9-62.1 openSUSE Leap 42.3:libncurses5-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses5-5.9-62.1 openSUSE Leap 42.3:libncurses6-32bit-5.9-62.1 openSUSE Leap 42.3:libncurses6-5.9-62.1 openSUSE Leap 42.3:ncurses-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-32bit-5.9-62.1 openSUSE Leap 42.3:ncurses-devel-5.9-62.1 openSUSE Leap 42.3:ncurses-utils-5.9-62.1 openSUSE Leap 42.3:tack-5.9-62.1 openSUSE Leap 42.3:terminfo-5.9-62.1 openSUSE Leap 42.3:terminfo-base-5.9-62.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00062.html https://www.suse.com/security/cve/CVE-2017-13733.html CVE-2017-13733 https://bugzilla.suse.com/1056127 SUSE Bug 1056127 https://bugzilla.suse.com/1069530 SUSE Bug 1069530 https://bugzilla.suse.com/1115932 SUSE Bug 1115932 https://bugzilla.suse.com/1123132 SUSE Bug 1123132 https://bugzilla.suse.com/1175501 SUSE Bug 1175501