--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package ncurses/5.9+20140913-1+deb8u3
- From: Sven Joachim <svenjoac@gmx.de>
- Date: Thu, 28 Dec 2017 11:43:05 +0100
- Message-id: <87wp17uo92.fsf@turtle.gmx.de>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
The same problem with the same fix as in #885582 for stretch.
Cheers,
Sven
diff -Nru ncurses-5.9+20140913/debian/changelog ncurses-5.9+20140913/debian/changelog
--- ncurses-5.9+20140913/debian/changelog 2017-12-03 11:20:45.000000000 +0100
+++ ncurses-5.9+20140913/debian/changelog 2017-12-28 11:14:57.000000000 +0100
@@ -1,3 +1,11 @@
+ncurses (5.9+20140913-1+deb8u3) jessie; urgency=medium
+
+ * Cherry-pick upstream fix from the 20171125 patchlevel to fix
+ a buffer overflow in the _nc_write_entry function
+ (CVE-2017-16879, Closes: #882620).
+
+ -- Sven Joachim <svenjoac@gmx.de> Thu, 28 Dec 2017 11:14:57 +0100
+
ncurses (5.9+20140913-1+deb8u2) jessie; urgency=medium
* Re-upload with no changes to work around #826161.
diff -Nru ncurses-5.9+20140913/debian/patches/cve-2017-16879.diff ncurses-5.9+20140913/debian/patches/cve-2017-16879.diff
--- ncurses-5.9+20140913/debian/patches/cve-2017-16879.diff 1970-01-01 01:00:00.000000000 +0100
+++ ncurses-5.9+20140913/debian/patches/cve-2017-16879.diff 2017-12-28 10:53:47.000000000 +0100
@@ -0,0 +1,44 @@
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Fix for CVE-2017-16879 in the _nc_write_entry function
+ Fix for CVE-2017-16879 cherry-picked from upstream patchlevel
+ 20171125.
+Bug-Debian: https://bugs.debian.org/882620
+Forwarded: not-needed
+Last-Update: 2017-11-27
+
+---
+ ncurses/tinfo/write_entry.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/ncurses/tinfo/write_entry.c
++++ b/ncurses/tinfo/write_entry.c
+@@ -268,6 +268,9 @@ _nc_write_entry(TERMTYPE *const tp)
+ #endif
+ #endif /* USE_SYMLINKS */
+
++ unsigned limit2 = sizeof(filename) - (2 + LEAF_LEN);
++ char saved = '\0';
++
+ static int call_count;
+ static time_t start_time; /* time at start of writes */
+
+@@ -366,12 +369,18 @@ _nc_write_entry(TERMTYPE *const tp)
+ start_time = 0;
+ }
+
+- if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN))
++ if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN)) {
+ _nc_warning("terminal name too long.");
++ saved = first_name[limit2];
++ first_name[limit2] = '\0';
++ }
+
+ _nc_SPRINTF(filename, _nc_SLIMIT(sizeof(filename))
+ LEAF_FMT "/%s", first_name[0], first_name);
+
++ if (saved)
++ first_name[limit2] = saved;
++
+ /*
+ * Has this primary name been written since the first call to
+ * write_entry()? If so, the newer write will step on the older,
diff -Nru ncurses-5.9+20140913/debian/patches/series ncurses-5.9+20140913/debian/patches/series
--- ncurses-5.9+20140913/debian/patches/series 2017-12-01 10:17:11.000000000 +0100
+++ ncurses-5.9+20140913/debian/patches/series 2017-12-28 10:53:47.000000000 +0100
@@ -5,3 +5,4 @@
termcap-fix.diff
more-cve-fixes.diff
cve-2017-13733.diff
+cve-2017-16879.diff
--- End Message ---