Add advisory for ncurses uninitialized memory exposure

lewismosciski · djc · commit cbeb0465070d · 2025-10-22T13:47:40.000+02:00
diff --git a/crates/ncurses/RUSTSEC-0000-0000.md b/crates/ncurses/RUSTSEC-0000-0000.md
@@ -0,0 +1,33 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "ncurses"
+date = "2025-10-21"
+url = "https://github.com/RustSec/advisory-db/pull/2427"
+informational = "unsound"
+categories = ["memory-exposure"]
+keywords = ["memory-safety", "soundness"]
+
+[affected.functions]
+"ncurses::inchnstr" = ["<=6.0.1"]
+"ncurses::inchstr" = ["<=6.0.1"]
+"ncurses::innstr" = ["<=6.0.1"]
+"ncurses::mvwinchnstr" = ["<=6.0.1"]
+"ncurses::mvwinchstr" = ["<=6.0.1"]
+"ncurses::mvwinnstr" = ["<=6.0.1"]
+"ncurses::winchnstr" = ["<=6.0.1"]
+"ncurses::winchstr" = ["<=6.0.1"]
+"ncurses::winnstr" = ["<=6.0.1"]
+"ncurses::winstr" = ["<=6.0.1"]
+
+[versions]
+patched = []
+```
+
+# Uninitialized memory exposure in string reading functions
+
+Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found.
+
+This allows reading uninitialized memory which may contain sensitive data from previous allocations.
+
+The ncurses-rs repository is archived and unmaintained.
