Sven Joachim <svenjoac@gmx.de> (2017-09-06): > Meanwhile seven new CVEs in the tic library and programs have been > reported, and I would like to fix those as well, see the attached new > debdiff. It contains all the library changes from the 20170826 upstream > patchlevel and the program fixes of the 20170902 patchlevel. I have > also attached the test cases for the 13 bugs reported in the Red Hat > bugtracker. > > >>> I'd be okay with this, but it will need a kibi-ack due to the udeb. > >> > >> The changes do not touch the tinfo library which is all that shipped in > >> the udeb. > > > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are compiled > > into the tic library while progs/dump_entry.c is for the infocmp and tic > > programs. Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a > > stretch chroot produced identical libtinfo.so.5.9 files. > > This is unfortunately no longer the case, since strings.c and > trim_sgr0.c are compiled into the tinfo library. However, the changes > to these files are small. I have no straightforward way to double check things still run smoothly with stretch's d-i, so I'll follow whatever decision the release team makes; if regressions pop up, we'll figure out how to fix them. KiBi.
Attachment:
signature.asc
Description: PGP signature