CVE-2019-15548

Name of the Vulnerable Software and Affected Versions ncurses versions through 5.99.0

Description The issue arises from the mishandling of interaction with C functions, leading to buffer overflows in instr and mvwinstr. Specifically, ncurses exposes functions from the ncurses library that pass buffers without length to C functions, which may write an arbitrary amount of data, causing a buffer overflow. Additionally, it passes Rust &str to strings expecting C format arguments, allowing hostile input to execute a format string attack, which can write arbitrary data to stack memory, particularly in functions like printw.

Recommendations For versions through 5.99.0, consider disabling the instr and mvwinstr functions until a patch is available. Restrict access to the printw family of functions to minimize the risk of exploitation. Avoid using the &str parameter in affected functions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.