ALAS-2024-2412

Amazon Linux 2 Security Advisory: ALAS-2024-2412
Advisory Release Date: 2024-01-03 22:21 Pacific
Advisory Updated Date: 2024-01-09 18:00 Pacific

Severity: Medium

References: CVE-2019-17594 CVE-2019-17595 CVE-2020-19185 CVE-2020-19186 CVE-2020-19187 CVE-2020-19188 CVE-2020-19189 CVE-2020-19190
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. (CVE-2019-17594)

There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. (CVE-2019-17595)

Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19185)

Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19186)

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19187)

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19188)

Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19189)

Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. (CVE-2020-19190)

Affected Packages:

ncurses

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update ncurses to update your system.

New Packages:

aarch64:
    ncurses-6.0-8.20170212.amzn2.1.6.aarch64
    ncurses-libs-6.0-8.20170212.amzn2.1.6.aarch64
    ncurses-compat-libs-6.0-8.20170212.amzn2.1.6.aarch64
    ncurses-c++-libs-6.0-8.20170212.amzn2.1.6.aarch64
    ncurses-devel-6.0-8.20170212.amzn2.1.6.aarch64
    ncurses-static-6.0-8.20170212.amzn2.1.6.aarch64
    ncurses-debuginfo-6.0-8.20170212.amzn2.1.6.aarch64

i686:
    ncurses-6.0-8.20170212.amzn2.1.6.i686
    ncurses-libs-6.0-8.20170212.amzn2.1.6.i686
    ncurses-compat-libs-6.0-8.20170212.amzn2.1.6.i686
    ncurses-c++-libs-6.0-8.20170212.amzn2.1.6.i686
    ncurses-devel-6.0-8.20170212.amzn2.1.6.i686
    ncurses-static-6.0-8.20170212.amzn2.1.6.i686
    ncurses-debuginfo-6.0-8.20170212.amzn2.1.6.i686

noarch:
    ncurses-base-6.0-8.20170212.amzn2.1.6.noarch
    ncurses-term-6.0-8.20170212.amzn2.1.6.noarch

src:
    ncurses-6.0-8.20170212.amzn2.1.6.src

x86_64:
    ncurses-6.0-8.20170212.amzn2.1.6.x86_64
    ncurses-libs-6.0-8.20170212.amzn2.1.6.x86_64
    ncurses-compat-libs-6.0-8.20170212.amzn2.1.6.x86_64
    ncurses-c++-libs-6.0-8.20170212.amzn2.1.6.x86_64
    ncurses-devel-6.0-8.20170212.amzn2.1.6.x86_64
    ncurses-static-6.0-8.20170212.amzn2.1.6.x86_64
    ncurses-debuginfo-6.0-8.20170212.amzn2.1.6.x86_64

Additional References

Red Hat: CVE-2019-17594, CVE-2019-17595, CVE-2020-19185, CVE-2020-19186, CVE-2020-19187, CVE-2020-19188, CVE-2020-19189, CVE-2020-19190

Mitre: CVE-2019-17594, CVE-2019-17595, CVE-2020-19185, CVE-2020-19186, CVE-2020-19187, CVE-2020-19188, CVE-2020-19189, CVE-2020-19190

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-2412

Additional References