[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Wed, 13 Oct 2021 15:09:41 -0400
On Wed, Oct 13, 2021 at 11:53:22AM +0200, Miroslav Lichvar wrote:
> On Tue, Oct 12, 2021 at 12:56:02PM +0000, BRUNO VERNAY wrote:
> > There is a new CVE-2021-39537 :
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39537
> > referencing this more than one year old thread:
> > https://lists.gnu.org/archive/html/bug-ncurses/2020-08/msg00006.html
> > I did not find any mention of this CVE in the mailing list and reading
> > the messages it sounds like a false-positive.
> > Yet all versions up to (including) 6.2.1 are flagged with a CVSS 8.8.
> If I understand it correctly, it's a buffer overread in tic, causing a
> segfault at worst. That might be a CVE, but the impact should be much
> lower. There is no code execution.
agreed (the address sanitizer trace says "READ" - its comment about
"heap-buffer-overflow" is unreliable).
Thomas E. Dickey <firstname.lastname@example.org>
Description: PGP signature