usn-5448-1
Vulnerability from osv_ubuntu
It was discovered that ncurses was not properly checking array bounds when executing the fmt_entry function, which could result in an out-of-bounds write. An attacker could possibly use this issue to execute arbitrary code. (CVE-2017-10684)
It was discovered that ncurses was not properly checking user input, which could result in it being treated as a format argument. An attacker could possibly use this issue to expose sensitive information or to execute arbitrary code. (CVE-2017-10685)
It was discovered that ncurses was incorrectly performing memory management operations and was not blocking access attempts to illegal memory locations. An attacker could possibly use this issue to cause a denial of service. (CVE-2017-11112, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13733, CVE-2017-13734)
It was discovered that ncurses was not properly performing checks on pointer values before attempting to access the related memory locations, which could lead to NULL pointer dereferencing. An attacker could possibly use this issue to cause a denial of service. (CVE-2017-11113)
It was discovered that ncurses was incorrectly handling loops in libtic, which could lead to the execution of an infinite loop. An attacker could possibly use this issue to cause a denial of service. (CVE-2017-13728)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2017-10684",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-10685",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-11112",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-11113",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13728",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13729",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13730",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13731",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13732",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13733",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13734",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:14.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "lib32ncurses5",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "lib32ncursesw5",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "lib32tinfo5",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "lib64ncurses5",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "lib64tinfo5",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "libncurses5",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "libncursesw5",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "libtinfo5",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "libx32ncurses5",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "libx32ncursesw5",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "libx32tinfo5",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "ncurses-base",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "ncurses-bin",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "ncurses-examples",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
},
{
"binary_name": "ncurses-term",
"binary_version": "5.9+20140118-1ubuntu1+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "ncurses",
"purl": "pkg:deb/ubuntu/ncurses@5.9+20140118-1ubuntu1+esm1?arch=source\u0026distro=trusty/esm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.9+20140118-1ubuntu1+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"5.9+20130608-1ubuntu1",
"5.9+20131221-1ubuntu1",
"5.9+20140118-1ubuntu1"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2017-10684",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-10685",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-11112",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-11113",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13728",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13729",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13730",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13731",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13732",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13733",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-13734",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "negligible",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:16.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "lib32ncurses5",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "lib32ncursesw5",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "lib32tinfo5",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "lib64ncurses5",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "lib64tinfo5",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "libncurses5",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "libncursesw5",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "libtinfo5",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "libx32ncurses5",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "libx32ncursesw5",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "libx32tinfo5",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "ncurses-base",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "ncurses-bin",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "ncurses-examples",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
},
{
"binary_name": "ncurses-term",
"binary_version": "6.0+20160213-1ubuntu1+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "ncurses",
"purl": "pkg:deb/ubuntu/ncurses@6.0+20160213-1ubuntu1+esm1?arch=source\u0026distro=esm-infra/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0+20160213-1ubuntu1+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"5.9+20150516-2ubuntu1",
"6.0+20151024-2ubuntu1",
"6.0+20151024-2ubuntu2",
"6.0+20160213-1ubuntu1"
]
}
],
"aliases": [],
"details": "It was discovered that ncurses was not properly checking array bounds\nwhen executing the fmt_entry function, which could result in an\nout-of-bounds write. An attacker could possibly use this issue to\nexecute arbitrary code. (CVE-2017-10684)\n\nIt was discovered that ncurses was not properly checking user input,\nwhich could result in it being treated as a format argument. An\nattacker could possibly use this issue to expose sensitive\ninformation or to execute arbitrary code. (CVE-2017-10685)\n\nIt was discovered that ncurses was incorrectly performing memory\nmanagement operations and was not blocking access attempts to\nillegal memory locations. An attacker could possibly use this issue\nto cause a denial of service. (CVE-2017-11112, CVE-2017-13729,\nCVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13733,\nCVE-2017-13734)\n\nIt was discovered that ncurses was not properly performing checks\non pointer values before attempting to access the related memory\nlocations, which could lead to NULL pointer dereferencing. An\nattacker could possibly use this issue to cause a denial of service.\n(CVE-2017-11113)\n\nIt was discovered that ncurses was incorrectly handling loops in\nlibtic, which could lead to the execution of an infinite loop. An\nattacker could possibly use this issue to cause a denial of service.\n(CVE-2017-13728)\n",
"id": "USN-5448-1",
"modified": "2026-06-29T10:52:55Z",
"published": "2022-05-26T17:17:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5448-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-10684"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-10685"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-11112"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-11113"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-13728"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-13729"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-13730"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-13731"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-13732"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-13733"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-13734"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "ncurses vulnerabilities",
"upstream": [
"UBUNTU-CVE-2017-10684",
"UBUNTU-CVE-2017-10685",
"UBUNTU-CVE-2017-11112",
"UBUNTU-CVE-2017-11113",
"UBUNTU-CVE-2017-13728",
"UBUNTU-CVE-2017-13729",
"UBUNTU-CVE-2017-13730",
"UBUNTU-CVE-2017-13731",
"UBUNTU-CVE-2017-13732",
"UBUNTU-CVE-2017-13733",
"UBUNTU-CVE-2017-13734"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.