Re: CVE-2021-39537

bug-ncurses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2021-39537

From:	Thomas Dickey
Subject:	Re: CVE-2021-39537
Date:	Tue, 12 Oct 2021 15:07:55 -0400 (EDT)

----- Original Message -----
| From: "BRUNO VERNAY" <bruno.vernay@se.com>
| To: "Ncurses Mailing List" <bug-ncurses@gnu.org>
| Sent: Tuesday, October 12, 2021 8:56:02 AM
| Subject: CVE-2021-39537

| Hi
| 
| There is a new CVE-2021-39537 :
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39537

That says 20210823 (one can only guess why it was delayed more than a year).

| referencing this more than one year old thread:
| https://lists.gnu.org/archive/html/bug-ncurses/2020-08/msg00006.html
| 
| I did not find any mention of this CVE in the mailing list  and  reading the
| messages it sounds like a false-positive.

One of the packagers asked about this last week -

http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c

(I did the bisect for him, since I've been working for the past few weeks 
anyway to prepare for 6.3)

| Yet all versions up to (including) 6.2.1  are flagged with a CVSS 8.8.

well..., there's no such thing as "6.2.1" on this list.
(the severity's no more reliable than the analysis which led to the report)

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://ftp.invisible-island.net

[Prev in Thread]

Current Thread

[Next in Thread]

CVE-2021-39537, BRUNO VERNAY, 2021/10/12
- Re: CVE-2021-39537, Thomas Dickey <=
- Re: CVE-2021-39537, Miroslav Lichvar, 2021/10/13
  - Re: CVE-2021-39537, Thomas Dickey, 2021/10/13

Prev by Date: CVE-2021-39537
Next by Date: Re: CVE-2021-39537
Previous by thread: CVE-2021-39537
Next by thread: Re: CVE-2021-39537
Index(es):
- Date
- Thread