CVE-2022-29458

Question

CVE-2022-29458

Closed this issue 2 years ago · 2 comments

CI/CD pipelines failing due to CVE-2022-29458.

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

See https://github.com/cbdq-io/docker-grype/runs/6243314666?check_suite_focus=true

Answer 1 · 2022-05-10T10:06:54.000Z

In the output from Grype, this vulnerability is being marked as "won't fix":

ncurses-base                      6.2+20201114-2                   deb        CVE-2021-39537       Negligible
ncurses-base                      6.2+20201114-2      (won't fix)  deb        CVE-2022-29458       High
ncurses-bin                       6.2+20201114-2                   deb        CVE-2021-39537       Negligible
ncurses-bin                       6.2+20201114-2      (won't fix)  deb        CVE-2022-29458       High

There is also no update available in the package repository.

Answer 2 · 2022-05-15T09:20:39.000Z

This is only found in the non-fixed scan and passes OK when running with the FIXED_ONLY flag set. Therefore closing the ticket.