CVE-2018-19217
Publication date 12 November 2018
Last updated 24 July 2024
Ubuntu priority
** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| ncurses | 22.04 LTS jammy |
Not affected
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 6.0+20160213-1ubuntu1+esm1
|
|
| 14.04 LTS trusty |
Fixed 5.9+20140118-1ubuntu1+esm1
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
ccdm94
for xenial and trusty the issue reproduces for the release version of the package with the provided POC file. However, patches applied to fix the CVE group CVE-2017-137xx and the CVE group CVE-2017-1068x have most likely fixed the currently considered vulnerability as well, with the reproducer no longer causing a segmentation fault for versions of the package that include these patches. This means that within the fixes present in the already applied patches was the fix for this CVE as well.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |