Vulnerability CVE-2017-16879

Vulnerability Name:

CVE-2017-16879 (CCN-135309)

Assigned:

2017-11-08

Published:

2017-11-08

Updated:

2021-06-29

Summary:

Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.

CVSS v3 Severity:

7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
3.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-787

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2017-16879

Source: CONFIRM
Type: Vendor Advisory
http://invisible-island.net/ncurses/NEWS.html#t20171125

Source: MISC
Type: Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html

Source: XF
Type: UNKNOWN
ncurses-cve201716879-dos(135309)

Source: MLIST
Type: UNKNOWN
[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8

Source: CCN
Type: Packet Storm Security [11-18-2017]
GNU ncurses 6.0 tic Denial Of Service

Source: GENTOO
Type: Third Party Advisory
GLSA-201804-13

Source: CONFIRM
Type: Permissions Required, Third Party Advisory
https://tools.cisco.com/security/center/viewAlert.x?alertId=57695

Source: CCN
Type: GNU Web site
Announcing ncurses 6.0

Source: CCN
Type: IBM Security Bulletin 5099768 (BladeCenter Advanced Management Module (AMM))
Vulnerabilities in Ncurses affect IBM BladeCenter Advanced Management Module (AMM)

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-16879

Vulnerable Configuration:

Configuration 1:

cpe:/a:gnu:ncurses:6.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:gnu:ncurses:6.0:*:*:*:*:*:*:*

AND

cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201716879	V	CVE-2017-16879	2022-05-22
oval:org.opensuse.security:def:34618	P	Security update for libqt4 (Important)	2021-12-22
oval:org.opensuse.security:def:30278	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:31314	P	Security update for xen (Moderate)	2021-12-01
oval:org.opensuse.security:def:31301	P	Security update for samba (Important)	2021-11-19
oval:org.opensuse.security:def:34579	P	Security update for java-11-openjdk (Important)	2021-10-27
oval:org.opensuse.security:def:30135	P	Security update for apache2 (Important)	2021-10-06
oval:org.opensuse.security:def:32187	P	Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)	2021-09-23
oval:org.opensuse.security:def:34530	P	Security update for xerces-c (Important)	2021-09-03
oval:org.opensuse.security:def:32986	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:32148	P	Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)	2021-07-21
oval:org.opensuse.security:def:29392	P	Security update for openexr (Important)	2021-06-24
oval:org.opensuse.security:def:34472	P	Security update for libnettle (Important)	2021-06-23
oval:org.opensuse.security:def:33935	P	Security update for libnettle (Important)	2021-06-23
oval:org.opensuse.security:def:36239	P	mailman-2.1.14-9.6.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36197	P	libmpfr1-2.3.2-3.118.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:32929	P	Security update for postgresql13 (Moderate)	2021-05-27
oval:org.opensuse.security:def:30192	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:30067	P	Security update for gdm (Important)	2021-04-28
oval:org.opensuse.security:def:29348	P	Security update for sudo (Important)	2021-04-20
oval:org.opensuse.security:def:31145	P	Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)	2021-04-07
oval:org.opensuse.security:def:30047	P	Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP2) (Important)	2021-03-17
oval:org.opensuse.security:def:28953	P	Security update for glib2 (Important)	2021-03-16
oval:org.opensuse.security:def:34643	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:30030	P	Security update for java-1_8_0-ibm (Important)	2021-02-26
oval:org.opensuse.security:def:33073	P	Security update for wpa_supplicant (Important)	2021-02-15
oval:org.opensuse.security:def:31357	P	Security update for MozillaFirefox (Important)	2021-01-12
oval:org.opensuse.security:def:31276	P	Security update for java-1_8_0-ibm (Moderate)	2021-01-05
oval:org.opensuse.security:def:32835	P	Security update for MozillaFirefox (Critical)	2020-12-21
oval:org.opensuse.security:def:35559	P	gpg2-2.0.9-25.25.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35515	P	MozillaFirefox-3.5.9-0.1.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:32611	P	unzip on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32610	P	unrar on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28896	P	Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:28811	P	Security update for postgresql91	2020-12-01
oval:org.opensuse.security:def:30638	P	Security update for xorg-x11	2020-12-01
oval:org.opensuse.security:def:28680	P	Security update for flash-player	2020-12-01
oval:org.opensuse.security:def:34314	P	Security update for rsync (Moderate)	2020-12-01
oval:org.opensuse.security:def:30594	P	Security update for Perl	2020-12-01
oval:org.opensuse.security:def:28612	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:34225	P	Security update for php5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:30575	P	Security update for mozilla-nspr (Moderate)	2020-12-01
oval:org.opensuse.security:def:28601	P	Security update for telepathy-gabble	2020-12-01
oval:org.opensuse.security:def:34168	P	Security update for openssl (Moderate)	2020-12-01
oval:org.opensuse.security:def:30536	P	Security update for java-1_7_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:28600	P	Security update for sudo	2020-12-01
oval:org.opensuse.security:def:34071	P	Security update for libxml2 (Low)	2020-12-01
oval:org.opensuse.security:def:30487	P	Security update for curl	2020-12-01
oval:org.opensuse.security:def:30432	P	Security update for xorg-x11-server (Important)	2020-12-01
oval:org.opensuse.security:def:33852	P	Security update for icu (Moderate)	2020-12-01
oval:org.opensuse.security:def:35488	P	Security update for php53 (Moderate)	2020-12-01
oval:org.opensuse.security:def:33841	P	Security update for gtk2	2020-12-01
oval:org.opensuse.security:def:35449	P	Security update for perl (Low)	2020-12-01
oval:org.opensuse.security:def:33840	P	Security update for gstreamer-0_10-plugins-base (Important)	2020-12-01
oval:org.opensuse.security:def:35400	P	Security update for openssh (Important)	2020-12-01
oval:org.opensuse.security:def:35341	P	Security update for mutt (Important)	2020-12-01
oval:org.opensuse.security:def:31510	P	Security update for libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:29915	P	Security update for libcgroup1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:35181	P	Security update for kvm (Important)	2020-12-01
oval:org.opensuse.security:def:31466	P	Security update for postgresql94 (Important)	2020-12-01
oval:org.opensuse.security:def:29842	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:35091	P	Security update for kdelibs3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:31445	P	Security update for poppler (Moderate)	2020-12-01
oval:org.opensuse.security:def:29831	P	Security update for jpeg (Low)	2020-12-01
oval:org.opensuse.security:def:35034	P	Security update for icu (Moderate)	2020-12-01
oval:org.opensuse.security:def:31406	P	Security update for perl-PlRPC (Moderate)	2020-12-01
oval:org.opensuse.security:def:28296	P	Security update for ncurses (Important)	2020-12-01
oval:org.opensuse.security:def:29830	P	Security update for jpeg (Moderate)	2020-12-01
oval:org.opensuse.security:def:34934	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:28261	P	Security update for memcached (Moderate)	2020-12-01
oval:org.opensuse.security:def:34798	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:27623	P	Security update for inkscape	2020-12-01
oval:org.opensuse.security:def:34714	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:27579	P	xalan-j2-demo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34703	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:31058	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:27565	P	rxvt-unicode on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34119	P	Security update for ncurses (Important)	2020-12-01
oval:org.opensuse.security:def:34702	P	Security update for Image Magick	2020-12-01
oval:org.opensuse.security:def:31001	P	Security update for java-1_6_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:27526	P	opensc-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34079	P	Security update for libxslt (Moderate)	2020-12-01
oval:org.opensuse.security:def:30910	P	Security update for freetype2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27477	P	libreoffice on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33441	P	Security update for evolution-data-server	2020-12-01
oval:org.opensuse.security:def:30778	P	Security update for bash	2020-12-01
oval:org.opensuse.security:def:27424	P	kdelibs3-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33397	P	Security update for cobbler (Moderate)	2020-12-01
oval:org.opensuse.security:def:30704	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:27273	P	procmail on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33374	P	Security update for compat-openssl097g (Moderate)	2020-12-01
oval:org.opensuse.security:def:30693	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:27189	P	libgtop on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33335	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:30692	P	Security update for MozillaFirefox (Critical)	2020-12-01
oval:org.opensuse.security:def:27132	P	ghostscript-fonts-other on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33286	P	wpa_supplicant on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27051	P	vte on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33229	P	perl-HTML-Parser on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26923	P	jpeg on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26859	P	acpid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29331	P	Security update for compat-openssl097g (Moderate)	2020-12-01
oval:org.opensuse.security:def:35366	P	Security update for ncurses (Important)	2020-12-01
oval:org.opensuse.security:def:26848	P	yast2-core on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29292	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:35325	P	Security update for microcode_ctl (Important)	2020-12-01
oval:org.opensuse.security:def:26847	P	yast2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29243	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:34687	P	Security update for xen (Moderate)	2020-12-01
oval:org.opensuse.security:def:32700	P	libMagickCore1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29189	P	Security update for netpbm (Moderate)	2020-12-01
oval:org.opensuse.security:def:32622	P	LibVNCServer on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29037	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:com.ubuntu.bionic:def:2017168790000000	V	CVE-2017-16879 on Ubuntu 18.04 LTS (bionic) - negligible.	2017-11-22
oval:com.ubuntu.artful:def:201716879000	V	CVE-2017-16879 on Ubuntu 17.10 (artful) - negligible.	2017-11-22
oval:com.ubuntu.xenial:def:201716879000	V	CVE-2017-16879 on Ubuntu 16.04 LTS (xenial) - negligible.	2017-11-22
oval:com.ubuntu.xenial:def:2017168790000000	V	CVE-2017-16879 on Ubuntu 16.04 LTS (xenial) - negligible.	2017-11-22
oval:com.ubuntu.bionic:def:201716879000	V	CVE-2017-16879 on Ubuntu 18.04 LTS (bionic) - negligible.	2017-11-22
oval:com.ubuntu.disco:def:2017168790000000	V	CVE-2017-16879 on Ubuntu 19.04 (disco) - negligible.	2017-11-22
oval:com.ubuntu.cosmic:def:201716879000	V	CVE-2017-16879 on Ubuntu 18.10 (cosmic) - negligible.	2017-11-22
oval:com.ubuntu.cosmic:def:2017168790000000	V	CVE-2017-16879 on Ubuntu 18.10 (cosmic) - negligible.	2017-11-22
oval:com.ubuntu.trusty:def:201716879000	V	CVE-2017-16879 on Ubuntu 14.04 LTS (trusty) - negligible.	2017-11-22

BACK