Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

To: Sven Joachim <svenjoac@gmx.de>, 867814@bugs.debian.org
Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, kibi@debian.org, debian-boot@lists.debian.org
Subject: Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 7 Sep 2017 05:32:47 +0200
Message-id: <[🔎] 20170907033247.twfl6fnwsfyn6jsa@eldamar.local>
Mail-followup-to: Sven Joachim <svenjoac@gmx.de>, 867814@bugs.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>, kibi@debian.org, debian-boot@lists.debian.org
In-reply-to: <[🔎] 87r2vjhiqz.fsf@turtle.gmx.de>
References: <87eftpcyb4.fsf@turtle.gmx.de> <1500113059.5317.185.camel@adam-barratt.org.uk> <874luegejd.fsf@turtle.gmx.de> <87o9sgnut3.fsf@turtle.gmx.de> <87eftpcyb4.fsf@turtle.gmx.de> <[🔎] 87r2vjhiqz.fsf@turtle.gmx.de>

Hi Sven

On Wed, Sep 06, 2017 at 06:52:36PM +0200, Sven Joachim wrote:
> On 2017-07-19 20:30 +0200, Sven Joachim wrote:
> 
> > Control: tags -1 - moreinfo
> >
> > On 2017-07-15 12:50 +0200, Sven Joachim wrote:
> >
> >> Control: tags -1 - confirmed
> >> Control: tags -1 + moreinfo
> >>
> >> On 2017-07-15 11:04 +0100, Adam D. Barratt wrote:
> >>
> >>> Control: tags -1 + confirmed d-i
> >>>
> >>> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote:
> >>>> Recently a few flaws in the tic program and the tic library have been
> >>>> detected: null pointer dereference, buffer overflow, stack smashing, you
> >>>> name it.  Six bugs have been reported in the Red Hat bugtracker and four
> >>>> CVEs assigned.  Fortunately there are rather few users who would run
> >>>> affected programs at all, so it was decided that no DSA would be
> >>>> necessary.
> >>
> >> Unfortunately the fixes have caused a regression in infocmp, see
> >> #868266.  I expect an upstream fix this night, but to properly test it
> >> and prepare new packages taking a bit more time seems advisable.  So I
> >> guess we'll have to defer that for 9.2.
> >
> > The changes from the 20170715 patchlevel were a bit larger than I would
> > have liked, but applied with minimal tweaking to the stretch version.
> > Running "infocmp -C" on all the terminfo files in ncurses-{base,term}
> > showed no difference compared to the infocmp version currently in
> > stretch.
> 
> Meanwhile seven new CVEs in the tic library and programs have been
> reported, and I would like to fix those as well, see the attached new
> debdiff.  It contains all the library changes from the 20170826 upstream
> patchlevel and the program fixes of the 20170902 patchlevel.  I have
> also attached the test cases for the 13 bugs reported in the Red Hat
> bugtracker.

Not a must, and note that is just a comment on my side, I'm not a SRM:
if possible add a bug closer as well to the changelog entry so that
when the point release happends, the correct fixed version is as well
propagated to the BTS bugs.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
  - From: Sven Joachim <svenjoac@gmx.de>

References:
- Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
  - From: Sven Joachim <svenjoac@gmx.de>

Prev by Date: Bug#355801: (no subject)
Next by Date: Bug#874353: base-installer: Please add ppc64 support
Previous by thread: Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Next by thread: Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Index(es):
- Date
- Thread