CVE-2017-16879
Ubuntu Security Notice USN-5477-1
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.
Desbordamiento de búfer basado en pila en la función _nc_write_entry en tinfo/write_entry.c en ncurses en la versión 6.0 permite que los atacantes provoquen una denegación de servicio (cierre inesperado de la aplicación) o posiblemente ejecuten código arbitrario mediante un archivo terminfo manipulado, tal y como demuestra tic.
Hosein Askari discovered that ncurses was incorrectly performing memory management operations when dealing with long filenames while writing structures into the file system. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. Chung-Yi Lin discovered that ncurses was incorrectly handling access to invalid memory areas when parsing terminfo or termcap entries where the use-name had invalid syntax. An attacker could possibly use this issue to cause a denial of service.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-11-17 CVE Reserved
- 2017-11-18 CVE Published
- 2017-11-18 First Exploit
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-787: Out-of-bounds Write
CAPEC
References (6)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/145045 | 2017-11-18 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://invisible-island.net/ncurses/NEWS.html#t20171125 | 2023-11-07 | |
| https://security.gentoo.org/glsa/201804-13 | 2023-11-07 |