Bug#944009: buster-pu: package ncurses/6.1+20181013-2+deb10u2

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 944009@bugs.debian.org, kibi@debian.org, debian-boot@lists.debian.org
Subject: Bug#944009: buster-pu: package ncurses/6.1+20181013-2+deb10u2
From: Sven Joachim <svenjoac@gmx.de>
Date: Fri, 08 Nov 2019 22:26:33 +0100
Message-id: <[🔎] 877e4at5yu.fsf@turtle.gmx.de>
Reply-to: Sven Joachim <svenjoac@gmx.de>, 944009@bugs.debian.org
In-reply-to: <[🔎] e76045c4dee4d59d4023d65d7d7992a24328eb35.camel@adam-barratt.org.uk> (Adam D. Barratt's message of "Fri, 08 Nov 2019 19:52:27 +0000")
References: <[🔎] 87zhheytzk.fsf@turtle.gmx.de> <[🔎] 87zhheytzk.fsf@turtle.gmx.de> <[🔎] 59761a83a26dbbe16ba9331c23b57acc@mail.adam-barratt.org.uk> <[🔎] e76045c4dee4d59d4023d65d7d7992a24328eb35.camel@adam-barratt.org.uk> <[🔎] 87zhheytzk.fsf@turtle.gmx.de>

On 2019-11-08 19:52 +0000, Adam D. Barratt wrote:

> On Wed, 2019-11-06 at 11:54 +0000, Adam D. Barratt wrote:
>> Control: tags -1 + confirmed d-i
>>
>> On 2019-11-02 19:10, Sven Joachim wrote:
>> > I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster,
>> > fixing
>> > several bugs in tic's parser which have been reported last
>> > month.  Two
>> > of them are heap buffer overflows that have been assigned CVE
>> > numbers
>> > and a Debian bug[1], two others are out-of-bound-reads and one an
>> > infinite loop.
>> >
>> > I have verified that the reported crashes and the infinite loop
>> > which I
>> > could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be
>> > fixed,
>> > at
>> > least with the submitted corrupt input files.  Also, the compiled
>> > terminfo files in ncurses-base and ncurses-term are identical to
>> > the
>> > ones currently in buster.
>> >
>> > This upload touches the tinfo library which is used in the
>> > installer,
>> > however to the best of my knowledge the changed functions are only
>> > used
>> > by tic and not by any other packages.
>>
>> Nevertheless I'd appreciate a formal ACK there.
>
> Given that the window for getting fixes into the 10.2 point release
> closes this weekend, feel free to upload and we'll wait for the d-i ack
> before deciding whether to include it in 10.2.

Thanks, uploaded.

Cheers,
       Sven

Reply to:

References:
- Bug#944009: buster-pu: package ncurses/6.1+20181013-2+deb10u2
  - From: Sven Joachim <svenjoac@gmx.de>
- Bug#944009: buster-pu: package ncurses/6.1+20181013-2+deb10u2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#944009: buster-pu: package ncurses/6.1+20181013-2+deb10u2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#941713: buster-pu: package ntpsec/1.1.3+dfsg1-2+deb10u1
Next by Date: Bug#942486: buster-pu: package shelldap/1.4.0-4+deb10u1
Previous by thread: Bug#944009: buster-pu: package ncurses/6.1+20181013-2+deb10u2
Next by thread: Bug#944009: buster-pu: package ncurses/6.1+20181013-2+deb10u2
Index(es):
- Date
- Thread