SuSE Security Announcement: ncursesOct 27, 2000, 20:19 (1 Talkback[s])
Date: Fri, 27 Oct 2000 17:59:46 +0200 (MEST)
SuSE Security Announcement Package: ncurses Announcement-ID: SuSE-SA:2000:043 Date: Friday, October 27th, 2000 17:00 MEST Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Vulnerability Type: local root compromise Severity (1-10): 5 SuSE default package: yes Other affected systems: systems with suid binaries linked against ncurses Content of this advisory: 1) security vulnerability resolved: ncurses problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade information
The ncurses library is used by many text/console based applications such as mail user agents, ftp clients and other command line utilities. A vulnerability has been found by Jouko Pynnönen email@example.com in the screen handling functions: Insufficient boundary checking leads to a buffer overflow if a user supplies a specially drafted terminfo database file. If an ncurses-linked binary is installed setuid root, it is possible for a local attacker to exploit this hole and gain elevated privileges.
There are several ways to fix the problem associated with the
library. One of them would be to fix the library. However, it is
not considered unlikely that another problem (similar to the one
that has just been found) will be revealed in the future.
Therefore, it is advisable to not link setuid applications against
the ncurses library. As a permanent and cleaner fix, we do not
provide update packages for the ncurses library, but we suggest to
change the modes of the relevant setuid applications. There are
three setuid-root applications contained in SuSE-distributions:
The script attached to the email with this announcement changes
the modes of files in the SuSE distribution that match both
criteria necessary to exploit the buffer overflow in the ncurses
You can download the script from the following location:
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
A summary about ongoing issues will be included in the next security announcement.
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may subscribe:
SuSE's security contact is firstname.lastname@example.org.
- - | Roman Drahtmüller email@example.com // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -