Re: CVE-2021-39537

bug-ncurses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2021-39537

From:	Miroslav Lichvar
Subject:	Re: CVE-2021-39537
Date:	Wed, 13 Oct 2021 11:53:22 +0200

On Tue, Oct 12, 2021 at 12:56:02PM +0000, BRUNO VERNAY wrote:
> There is a new CVE-2021-39537 : 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39537
> referencing this more than one year old thread: 
> https://lists.gnu.org/archive/html/bug-ncurses/2020-08/msg00006.html
> 
> I did not find any mention of this CVE in the mailing list  and  reading the 
> messages it sounds like a false-positive.
> 
> Yet all versions up to (including) 6.2.1  are flagged with a CVSS 8.8.

If I understand it correctly, it's a buffer overread in tic, causing a
segfault at worst. That might be a CVE, but the impact should be much
lower. There is no code execution.

-- 
Miroslav Lichvar

[Prev in Thread]

Current Thread

[Next in Thread]

CVE-2021-39537, BRUNO VERNAY, 2021/10/12
- Re: CVE-2021-39537, Thomas Dickey, 2021/10/12
- Re: CVE-2021-39537, Miroslav Lichvar <=
  - Re: CVE-2021-39537, Thomas Dickey, 2021/10/13

Prev by Date: Re: CVE-2021-39537
Next by Date: Re: CVE-2021-39537
Previous by thread: Re: CVE-2021-39537
Next by thread: Re: CVE-2021-39537
Index(es):
- Date
- Thread