CVE-2022-29458
Closed this issue · 2 comments
dallinb commented
CI/CD pipelines failing due to CVE-2022-29458.
ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.
See https://github.com/cbdq-io/docker-grype/runs/6243314666?check_suite_focus=true
dallinb commented
In the output from Grype, this vulnerability is being marked as "won't fix":
ncurses-base 6.2+20201114-2 deb CVE-2021-39537 Negligible
ncurses-base 6.2+20201114-2 (won't fix) deb CVE-2022-29458 High
ncurses-bin 6.2+20201114-2 deb CVE-2021-39537 Negligible
ncurses-bin 6.2+20201114-2 (won't fix) deb CVE-2022-29458 High
There is also no update available in the package repository.
dallinb commented
This is only found in the non-fixed scan and passes OK when running with the FIXED_ONLY flag set. Therefore closing the ticket.