I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, fixing
several bugs in tic's parser which have been reported last month. Two
of them are heap buffer overflows that have been assigned CVE numbers
and a Debian bug[1], two others are out-of-bound-reads and one an
infinite loop.
I have verified that the reported crashes and the infinite loop which I
could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be fixed,
at
least with the submitted corrupt input files. Also, the compiled
terminfo files in ncurses-base and ncurses-term are identical to the
ones currently in buster.
This upload touches the tinfo library which is used in the installer,
however to the best of my knowledge the changed functions are only used
by tic and not by any other packages.