Sven Joachim <svenjoac@gmx.de> (2017-09-06):
> Meanwhile seven new CVEs in the tic library and programs have been
> reported, and I would like to fix those as well, see the attached new
> debdiff. It contains all the library changes from the 20170826 upstream
> patchlevel and the program fixes of the 20170902 patchlevel. I have
> also attached the test cases for the 13 bugs reported in the Red Hat
> bugtracker.
>
> >>> I'd be okay with this, but it will need a kibi-ack due to the udeb.
> >>
> >> The changes do not touch the tinfo library which is all that shipped in
> >> the udeb.
> >
> > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are compiled
> > into the tic library while progs/dump_entry.c is for the infocmp and tic
> > programs. Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
> > stretch chroot produced identical libtinfo.so.5.9 files.
>
> This is unfortunately no longer the case, since strings.c and
> trim_sgr0.c are compiled into the tinfo library. However, the changes
> to these files are small.
I have no straightforward way to double check things still run smoothly
with stretch's d-i, so I'll follow whatever decision the release team
makes; if regressions pop up, we'll figure out how to fix them.
KiBi.
Attachment:
signature.asc
Description: PGP signature