Bug#944009: buster-pu: package ncurses/6.1+20181013-2+deb10u2

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On Wed, 2019-11-06 at 11:54 +0000, Adam D. Barratt wrote:
> Control: tags -1 + confirmed d-i
> 
> On 2019-11-02 19:10, Sven Joachim wrote:
> > I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster,
> > fixing
> > several bugs in tic's parser which have been reported last
> > month.  Two
> > of them are heap buffer overflows that have been assigned CVE
> > numbers
> > and a Debian bug[1], two others are out-of-bound-reads and one an
> > infinite loop.
> > 
> > I have verified that the reported crashes and the infinite loop
> > which I
> > could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be
> > fixed, 
> > at
> > least with the submitted corrupt input files.  Also, the compiled
> > terminfo files in ncurses-base and ncurses-term are identical to
> > the
> > ones currently in buster.
> > 
> > This upload touches the tinfo library which is used in the
> > installer,
> > however to the best of my knowledge the changed functions are only
> > used
> > by tic and not by any other packages.
> 
> Nevertheless I'd appreciate a formal ACK there.

Given that the window for getting fixes into the 10.2 point release
closes this weekend, feel free to upload and we'll wait for the d-i ack
before deciding whether to include it in 10.2.

Regards,

Adam