Recommended update for ncurses SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:1790-1 Final 1 1 2017-07-06T09:33:15Z current 2017-07-06T09:33:15Z 2017-07-06T09:33:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Recommended update for ncurses This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-ncurses-13197,slessp4-ncurses-13197 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20171790-1/ Link for SUSE-SU-2017:1790-1 https://lists.suse.com/pipermail/sle-security-updates/2017-July/003011.html E-Mail link for SUSE-SU-2017:1790-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1046853 SUSE Bug 1046853 https://bugzilla.suse.com/1046858 SUSE Bug 1046858 https://www.suse.com/security/cve/CVE-2017-10684/ SUSE CVE CVE-2017-10684 page https://www.suse.com/security/cve/CVE-2017-10685/ SUSE CVE CVE-2017-10685 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 ncurses-devel-5.6-92.1 ncurses-devel-32bit-5.6-92.1 tack-5.6-92.1 libncurses5-5.6-92.1 libncurses5-32bit-5.6-92.1 libncurses5-x86-5.6-92.1 libncurses6-5.6-92.1 libncurses6-32bit-5.6-92.1 libncurses6-x86-5.6-92.1 ncurses-utils-5.6-92.1 terminfo-5.6-92.1 terminfo-base-5.6-92.1 libncurses5-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 libncurses5-32bit-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 libncurses5-x86-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 libncurses6-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 libncurses6-32bit-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 libncurses6-x86-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 ncurses-devel-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 ncurses-devel-32bit-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 ncurses-utils-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 tack-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 terminfo-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 terminfo-base-5.6-92.1 as a component of SUSE Linux Enterprise Server 11 SP4 libncurses5-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libncurses5-32bit-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libncurses5-x86-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libncurses6-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libncurses6-32bit-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libncurses6-x86-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 ncurses-devel-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 ncurses-devel-32bit-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 ncurses-utils-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 tack-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 terminfo-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 terminfo-base-5.6-92.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 ncurses-devel-5.6-92.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 ncurses-devel-32bit-5.6-92.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 tack-5.6-92.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. CVE-2017-10684 SUSE Linux Enterprise Server 11 SP4:libncurses5-32bit-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:libncurses5-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:libncurses5-x86-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:libncurses6-32bit-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:libncurses6-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:libncurses6-x86-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:ncurses-devel-32bit-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:ncurses-devel-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:ncurses-utils-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:tack-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:terminfo-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:terminfo-base-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses5-32bit-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses5-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses5-x86-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses6-32bit-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses6-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses6-x86-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:ncurses-devel-32bit-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:ncurses-devel-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:ncurses-utils-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:tack-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:terminfo-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:terminfo-base-5.6-92.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ncurses-devel-32bit-5.6-92.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ncurses-devel-5.6-92.1 SUSE Linux Enterprise Software Development Kit 11 SP4:tack-5.6-92.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171790-1/ https://www.suse.com/security/cve/CVE-2017-10684.html CVE-2017-10684 https://bugzilla.suse.com/1046858 SUSE Bug 1046858 https://bugzilla.suse.com/1115932 SUSE Bug 1115932 https://bugzilla.suse.com/1175501 SUSE Bug 1175501 In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. CVE-2017-10685 SUSE Linux Enterprise Server 11 SP4:libncurses5-32bit-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:libncurses5-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:libncurses5-x86-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:libncurses6-32bit-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:libncurses6-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:libncurses6-x86-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:ncurses-devel-32bit-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:ncurses-devel-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:ncurses-utils-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:tack-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:terminfo-5.6-92.1 SUSE Linux Enterprise Server 11 SP4:terminfo-base-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses5-32bit-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses5-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses5-x86-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses6-32bit-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses6-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libncurses6-x86-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:ncurses-devel-32bit-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:ncurses-devel-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:ncurses-utils-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:tack-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:terminfo-5.6-92.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:terminfo-base-5.6-92.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ncurses-devel-32bit-5.6-92.1 SUSE Linux Enterprise Software Development Kit 11 SP4:ncurses-devel-5.6-92.1 SUSE Linux Enterprise Software Development Kit 11 SP4:tack-5.6-92.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171790-1/ https://www.suse.com/security/cve/CVE-2017-10685.html CVE-2017-10685 https://bugzilla.suse.com/1046853 SUSE Bug 1046853 https://bugzilla.suse.com/1115932 SUSE Bug 1115932 https://bugzilla.suse.com/1175501 SUSE Bug 1175501