CVE-2020-19189: 
NixOS vulnerability analysis and mitigation

A Buffer Overflow vulnerability was discovered in the postprocessterminfo function in tinfo/parseentry.c:997 in ncurses 6.1. The vulnerability was assigned identifier CVE-2020-19189 and was publicly disclosed in August 2023 (NVD). The vulnerability affects the ncurses library, which is a text-based user interface toolkit used in various operating systems and applications.

The vulnerability exists in the postprocessterminfo function of ncurses version 6.1, specifically at line 997 in the tinfo/parseentry.c file. When processing a crafted terminfo database, it can trigger a heap-based buffer overflow condition. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD, NetApp Advisory).

When successfully exploited, this vulnerability can lead to denial of service (DoS) conditions, potentially causing unexpected application termination. The vulnerability primarily affects the availability of the system, with no direct impact on confidentiality or integrity (NetApp Advisory).

Multiple vendors have released patches to address this vulnerability. Debian has fixed the issue in version 6.1+20181013-2+deb10u4 for Debian 10 buster (Debian Advisory). Apple has included fixes in their macOS updates including Sonoma 14.2, Ventura 13.6.3, and Monterey 12.7.2 (Apple Support).