[BUG] ncurses vulnerability - CVE-2019-15548

[Terkwood]

Describe the bug
ncurses is subject to the vulnerability listed in https://nvd.nist.gov/vuln/detail/CVE-2019-15548

Environment

• Cursive commit 0c6669d (at least)

[gyscos]

Thanks for the report!

I don't think we use the affected functions, but it doesn't hurt to update to the latest version of fixed.

[dbrgn]

More information can be found here: https://rustsec.org/advisories/RUSTSEC-2019-0006

Affected functions:

• ncurses::instr
• ncurses::mvprintw
• ncurses::mvwinstr
• ncurses::mvwprintw
• ncurses::printw

I don't think we use the affected functions

Yeah, I couldn't find any usage of an affected function either.

but it doesn't hurt to update to the latest version of fixed

So far there's no fix available: jeaye/ncurses-rs#209

[Terkwood]

Will close this for now. Thank you

[correabuscar]

Would be nice to get cursive to use the version 6 of ncurses-rs possibly after jeaye/ncurses-rs#209 is closed(although it seems at least some issues were addressed),
but to do so at this time would require the following 2 patches: one would apply to ncurses-rs and one to cursive to facilitate this transition, but of course ncurses-rs would have to update first and release on crates.io, only after cursive would patch to use it:
jeaye/ncurses-rs#201 (comment)

[vwbusguy]

Getting this would also help us ship the ncurses library update in Fedora as well: https://bugzilla.redhat.com/show_bug.cgi?id=2272332

[correabuscar]

I'll submit a PR later after the ncurses-rs one gets in first: jeaye/ncurses-rs#218
(I'll do one for pancurses too, already got them both working)