PT-2019-14262 · Rust · Pancurses

Published

2019-06-15

Updated

2021-08-25

CVE-2019-15546

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions pancurses versions through 0.16.1

Description The issue is related to format string vulnerabilities in the printw and mvprintw functions. Specifically, pancurses::mvprintw and pancurses::printw pass a pointer from a Rust &str to C, allowing hostile input to execute a format string attack. This attack can trivially allow writing arbitrary data to stack memory.

Recommendations For versions through 0.16.1, consider restricting the use of the pancurses::mvprintw and pancurses::printw functions until a patch is available to prevent format string attacks. As a temporary workaround, avoid using these functions with untrusted input to minimize the risk of exploitation.

Fix

Use of Externally-Controlled Format String

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-134

Related Identifiers

CVE-2019-15546

GHSA-M57C-4VVX-GJGQ

RUSTSEC-2019-0005

Affected Products

Pancurses

PT-2019-14262 · Rust · Pancurses

CVE-2019-15546

Weakness Enumeration

Related Identifiers

Affected Products

References · 9