On Sat, Nov 02, 2019 at 08:10:39PM +0100, Sven Joachim wrote: > Package: release.debian.org > Severity: normal > Tags: buster d-i > User: release.debian.org@packages.debian.org > Usertags: pu > > I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, fixing > several bugs in tic's parser which have been reported last month. Two > of them are heap buffer overflows that have been assigned CVE numbers hmm - "overflow" is the wrong term, afaik (all of the ones that I verified were out-of-bound-reads). > and a Debian bug[1], two others are out-of-bound-reads and one an > infinite loop. > > I have verified that the reported crashes and the infinite loop which I > could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be fixed, at > least with the submitted corrupt input files. Also, the compiled > terminfo files in ncurses-base and ncurses-term are identical to the > ones currently in buster. > > This upload touches the tinfo library which is used in the installer, > however to the best of my knowledge the changed functions are only used > by tic and not by any other packages. that's accurate - comp*.c are just tic. -- Thomas E. Dickey <dickey@invisible-island.net> https://invisible-island.net ftp://ftp.invisible-island.net
Attachment:
signature.asc
Description: PGP signature