SuSE Security Announcement: ncurses

Date: Fri, 27 Oct 2000 17:59:46 +0200 (MEST)
From: Roman Drahtmueller draht@suse.de
To: suse-security-announce@suse.de
Subject: [suse-security-announce] SuSE Security Announcement:
ncurses (SuSE-SA:2000:043)

                        SuSE Security Announcement

        Package:                ncurses
        Announcement-ID:        SuSE-SA:2000:043
        Date:                   Friday, October 27th, 2000 17:00 MEST
        Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
        Vulnerability Type:     local root compromise
        Severity (1-10):        5
        SuSE default package:   yes
        Other affected systems: systems with suid binaries linked against

    Content of this advisory:
        1) security vulnerability resolved: ncurses
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

1) problem description, brief discussion, solution, upgrade

The ncurses library is used by many text/console based
applications such as mail user agents, ftp clients and other
command line utilities. A vulnerability has been found by Jouko
Pynnönen jouko@solutions.fi in the screen
handling functions: Insufficient boundary checking leads to a
buffer overflow if a user supplies a specially drafted terminfo
database file. If an ncurses-linked binary is installed setuid
root, it is possible for a local attacker to exploit this hole and
gain elevated privileges.

There are several ways to fix the problem associated with the
library. One of them would be to fix the library. However, it is
not considered unlikely that another problem (similar to the one
that has just been found) will be revealed in the future.
Therefore, it is advisable to not link setuid applications against
the ncurses library. As a permanent and cleaner fix, we do not
provide update packages for the ncurses library, but we suggest to
change the modes of the relevant setuid applications. There are
three setuid-root applications contained in SuSE-distributions:
xaos (suid root for permissions to use SVGAlib on the Linux
console) screen (does not need root privs in the latest version)
cda, contained in the xmcd program, a command line CD player. It
might need elevated privileges to access the cdrom device file.

The script attached to the email with this announcement changes
the modes of files in the SuSE distribution that match both
criteria necessary to exploit the buffer overflow in the ncurses
1) the binary is setuid root,
2) it is linked against libncurses.
Please save the attachment under the name “perms-ncurses.sh” and
execute it using the command `bash ./perms-ncurses.sh´. It
a) Check your version of the screen program installed.
b) Changes /etc/permissions and /etc/permissions.easy to
the mode changes. The original files are saved, see
/etc/permissions.* . (note: The chkstat program is being executed
by SuSEconfig, the SuSE configuration script, to set the modes of
files according to the entries in the permission files. The files
being used are /etc/permissions, /etc/permissions.local and
/etc/permissions.easy unless the administrator changed the settings
in /etc/rc.config .)
c) Changes the file modes by hand by executing
chmod 755 /usr/X11R6/lib/X11/xmcd/bin-Linux-$ARCH/cda
/usr/bin/screen /usr/bin/xaos

You can download the script from the following location:



2) Pending vulnerabilities in SuSE Distributions and

A summary about ongoing issues will be included in the next
security announcement.

3) standard appendix:

SuSE runs two security mailing lists to which any interested
party may subscribe:

– general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list. To
subscribe, send an email to suse-security-subscribe@suse.com.


– SuSE’s announce-only mailing list.
Only SuSE’s security annoucements are sent to this list. To
subscribe, send an email to suse-security-announce-subscribe@suse.com.

For general information or the frequently asked questions (faq)
send mail to:

SuSE’s security contact is security@suse.com.

Roman Drahtmüller.
– – —

 -                                                                      -
| Roman Drahtmüller        draht@suse.de //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis