rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add advisory for ncurses uninitialized memory exposure

Browse Source
This commit is contained in:
Lewis
2025-10-21 21:00:56 +08:00
committed by Dirkjan Ochtman
parent 58f3aaec0e
commit cbeb046507
1 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
crates/ncurses/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,33 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "ncurses"
date = "2025-10-21"
url = "https://github.com/RustSec/advisory-db/pull/2427"
informational = "unsound"
categories = ["memory-exposure"]
keywords = ["memory-safety", "soundness"]
[affected.functions]
"ncurses::inchnstr" = ["<=6.0.1"]
"ncurses::inchstr" = ["<=6.0.1"]
"ncurses::innstr" = ["<=6.0.1"]
"ncurses::mvwinchnstr" = ["<=6.0.1"]
"ncurses::mvwinchstr" = ["<=6.0.1"]
"ncurses::mvwinnstr" = ["<=6.0.1"]
"ncurses::winchnstr" = ["<=6.0.1"]
"ncurses::winchstr" = ["<=6.0.1"]
"ncurses::winnstr" = ["<=6.0.1"]
"ncurses::winstr" = ["<=6.0.1"]
[versions]
patched = []
```
# Uninitialized memory exposure in string reading functions
Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found.
This allows reading uninitialized memory which may contain sensitive data from previous allocations.
The ncurses-rs repository is archived and unmaintained.