Hi, Adam D. Barratt <adam@adam-barratt.org.uk> (2019-11-06): > Control: tags -1 + confirmed d-i > > On 2019-11-02 19:10, Sven Joachim wrote: > > I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, fixing > > several bugs in tic's parser which have been reported last month. Two > > of them are heap buffer overflows that have been assigned CVE numbers > > and a Debian bug[1], two others are out-of-bound-reads and one an > > infinite loop. > > > > I have verified that the reported crashes and the infinite loop which I > > could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be fixed, at > > least with the submitted corrupt input files. Also, the compiled > > terminfo files in ncurses-base and ncurses-term are identical to the > > ones currently in buster. > > > > This upload touches the tinfo library which is used in the installer, > > however to the best of my knowledge the changed functions are only used > > by tic and not by any other packages. > > Nevertheless I'd appreciate a formal ACK there. I have spent time trying to get d-i tested using netboot and netboot/gtk mini.iso images built against the 3 packages available on coccia : glib2.0_2.58.3-2+deb10u2.dsc ncurses_6.1+20181013-2+deb10u2.dsc systemd_241-7~deb10u2.dsc And all use cases ran fine (4 × netboot-gtk and 1 × netboot — new). FTAOD, the netboot (text-based) use case is only about French only; at some point I should implement RTL tests for both graphical and text-based installers, but time is still a scarce resource. Anyway: I'm fine with letting all three packages get accepted into pu, even if I didn't dive into the ncurses patches. Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature