CVE-2023-50495: 
CBL Mariner vulnerability analysis and mitigation

NCurse v6.4-20230418 was discovered to contain a segmentation fault vulnerability via the component ncwrap_entry(). The vulnerability was assigned CVE-2023-50495 and was disclosed on December 12, 2023. The issue affects NCurses library versions prior to 6.4-20230424 (NVD, Debian Tracker).

The vulnerability exists in the code that parses terminfo database files, specifically in the ncwrap_entry() component. The issue manifests as a segmentation fault when processing certain malformed terminfo data. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating that it requires user interaction but can be exploited remotely without authentication (NVD).

Successful exploitation of this vulnerability could lead to a Denial of Service (DoS) condition through application crashes. However, since terminfo files are normally trusted, and after the fix for CVE-2023-29491, terminfo files are no longer parsed when apps are setuid, the security impact is considered low (Ubuntu).

The vulnerability was fixed in ncurses version 6.4-20230424. The fix involves checking the return value of ncsave_str() in the special case for tic where extended capabilities are processed but the terminal description was not initialized (GNU List).