The ncurses library is used by many text/console based applications such as mail user agents, ftp clients and other command line utilities. A vulnerability has been found by Jouko Pynnönen <firstname.lastname@example.org> in the screen handling functions: Insufficient boundary checking leads to a buffer overflow if a user supplies a specially drafted terminfo database file. If an ncurses-linked binary is installed setuid root, it is possible for a local attacker to exploit this hole and gain elevated privileges.
-----BEGIN PGP SIGNED MESSAGE-----
SuSE Security Announcement
Date: Friday, October 27th, 2000 17:00 MEST
Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
Vulnerability Type: local root compromise
Severity (1-10): 5
SuSE default package: yes
Other affected systems: systems with suid binaries linked against
Content of this advisory:
1) security vulnerability resolved: ncurses
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade information
The ncurses library is used by many text/console based applications
such as mail user agents, ftp clients and other command line utilities.
A vulnerability has been found by Jouko Pynnönen <email@example.com>
in the screen handling functions: Insufficient boundary checking leads
to a buffer overflow if a user supplies a specially drafted terminfo
database file. If an ncurses-linked binary is installed setuid root,
it is possible for a local attacker to exploit this hole and gain
There are several ways to fix the problem associated with the library.
One of them would be to fix the library. However, it is not considered
unlikely that another problem (similar to the one that has just been
found) will be revealed in the future. Therefore, it is advisable to
not link setuid applications against the ncurses library. As a permanent
and cleaner fix, we do not provide update packages for the ncurses
library, but we suggest to change the modes of the relevant setuid
applications. There are three setuid-root applications contained in
xaos (suid root for permissions to use SVGAlib on the Linux console)
screen (does not need root privs in the latest version)
cda, contained in the xmcd program, a command line CD player. It might
need elevated privileges to access the cdrom device file.
The script attached to the email with this announcement changes the
modes of files in the SuSE distribution that match both criteria
necessary to exploit the buffer overflow in the ncurses library:
1) the binary is setuid root,
2) it is linked against libncurses.
Please save the attachment under the name "perms-ncurses.sh" and
execute it using the command `bash ./perms-ncurses.sh´.
a) Check your version of the screen program installed.
b) Changes /etc/permissions and /etc/permissions.easy to reflect
the mode changes. The original files are saved, see
/etc/permissions.* . (note: The chkstat program is being
executed by SuSEconfig, the SuSE configuration script, to set
the modes of files according to the entries in the permission
files. The files being used are /etc/permissions,
/etc/permissions.local and /etc/permissions.easy unless the
administrator changed the settings in /etc/rc.config .)
c) Changes the file modes by hand by executing
chmod 755 /usr/X11R6/lib/X11/xmcd/bin-Linux-$ARCH/cda
You can download the script from the following location:
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
A summary about ongoing issues will be included in the next security
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
For general information or the frequently asked questions (faq)
send mail to:
SuSE's security contact is <firstname.lastname@example.org>.
- - --
| Roman Drahtmueller <email@example.com> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| Nuernberg, Germany +49-911-740530 // (Batman Costume warning label) |
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <firstname.lastname@example.org>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.0
: Mon Jun 04 2001 - 18:25:15 PDT