Your message dated Sat, 16 Nov 2019 10:08:47 +0000 with message-id <83c9ffab6f08361485f70dda4733a7a24aeec09b.camel@adam-barratt.org.uk> and subject line Closing bugs for 10.2 point release fixes has caused the Debian Bug report #944009, regarding buster-pu: package ncurses/6.1+20181013-2+deb10u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 944009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944009 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package ncurses/6.1+20181013-2+deb10u2
- From: Sven Joachim <svenjoac@gmx.de>
- Date: Sat, 02 Nov 2019 20:10:39 +0100
- Message-id: <[🔎] 87zhheytzk.fsf@turtle.gmx.de>
Package: release.debian.org Severity: normal Tags: buster d-i User: release.debian.org@packages.debian.org Usertags: pu I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, fixing several bugs in tic's parser which have been reported last month. Two of them are heap buffer overflows that have been assigned CVE numbers and a Debian bug[1], two others are out-of-bound-reads and one an infinite loop. I have verified that the reported crashes and the infinite loop which I could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be fixed, at least with the submitted corrupt input files. Also, the compiled terminfo files in ncurses-base and ncurses-term are identical to the ones currently in buster. This upload touches the tinfo library which is used in the installer, however to the best of my knowledge the changed functions are only used by tic and not by any other packages. Thanks for your consideration. 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401diff -Nru ncurses-6.1+20181013/debian/changelog ncurses-6.1+20181013/debian/changelog --- ncurses-6.1+20181013/debian/changelog 2019-08-05 20:03:21.000000000 +0200 +++ ncurses-6.1+20181013/debian/changelog 2019-11-02 19:16:19.000000000 +0100 @@ -1,3 +1,20 @@ +ncurses (6.1+20181013-2+deb10u2) buster; urgency=medium + + * Cherry-pick tic fixes from upstream patchlevels 20191012, + 20191015 and 20191019 (Closes: #942401). + - Check for invalid hashcode in _nc_find_type_entry and + nc_find_entry (CVE-2019-17594). + - Check for missing character after backslash in fmt_entry + (CVE-2019-17595). + - Check for acsc with odd length in dump_entry in check for + one-one mapping. + - Check for missing character after backslash in write_it. + - Modify tic to exit if it cannot remove a conflicting name, because + treating that as a partial success can cause an infinite loop in + use-resolution. + + -- Sven Joachim <svenjoac@gmx.de> Sat, 02 Nov 2019 19:16:19 +0100 + ncurses (6.1+20181013-2+deb10u1) buster; urgency=medium * Drop "rep" from xterm-new and derived terminfo descriptions diff -Nru ncurses-6.1+20181013/debian/patches/CVE-2019-17594.diff ncurses-6.1+20181013/debian/patches/CVE-2019-17594.diff --- ncurses-6.1+20181013/debian/patches/CVE-2019-17594.diff 1970-01-01 01:00:00.000000000 +0100 +++ ncurses-6.1+20181013/debian/patches/CVE-2019-17594.diff 2019-11-02 17:21:09.000000000 +0100 @@ -0,0 +1,37 @@ +Author: Sven Joachim <svenjoac@gmx.de> +Description: Fix for CVE-2019-17594 + Check for invalid hashcode in _nc_find_type_entry and nc_find_entry, + fix cherry-picked from upstream patchlevel 20191012. +Bug-Debian: https://bugs.debian.org/942401 +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html +Forwarded: not-needed +Last-Update: 2019-11-02 + +--- + ncurses/tinfo/comp_hash.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/ncurses/tinfo/comp_hash.c ++++ b/ncurses/tinfo/comp_hash.c +@@ -63,7 +63,9 @@ _nc_find_entry(const char *string, + + hashvalue = data->hash_of(string); + +- if (data->table_data[hashvalue] >= 0) { ++ if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { + + real_table = _nc_get_table(termcap); + ptr = real_table + data->table_data[hashvalue]; +@@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string, + const HashData *data = _nc_get_hash_info(termcap); + int hashvalue = data->hash_of(string); + +- if (data->table_data[hashvalue] >= 0) { ++ if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { + const struct name_table_entry *const table = _nc_get_table(termcap); + + ptr = table + data->table_data[hashvalue]; diff -Nru ncurses-6.1+20181013/debian/patches/CVE-2019-17595.diff ncurses-6.1+20181013/debian/patches/CVE-2019-17595.diff --- ncurses-6.1+20181013/debian/patches/CVE-2019-17595.diff 1970-01-01 01:00:00.000000000 +0100 +++ ncurses-6.1+20181013/debian/patches/CVE-2019-17595.diff 2019-11-02 17:22:34.000000000 +0100 @@ -0,0 +1,36 @@ +Author: Sven Joachim <svenjoac@gmx.de> +Description: Fix for CVE-2019-17595 + Fix for CVE-2019-17595 cherry-picked from upstream patchlevel + 20191012. Additionally to the CVE fix, this contains a check for + acsc with odd length in dump_entry in check for one-one mapping. +Bug-Debian: https://bugs.debian.org/942401 +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00018.html +Forwarded: not-needed +Last-Update: 2019-11-02 + +--- + progs/dump_entry.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/progs/dump_entry.c ++++ b/progs/dump_entry.c +@@ -1110,7 +1110,8 @@ fmt_entry(TERMTYPE2 *tterm, + *d++ = '\\'; + *d = ':'; + } else if (*d == '\\') { +- *++d = *s++; ++ if ((*++d = *s++) == '\0') ++ break; + } + d++; + *d = '\0'; +@@ -1370,7 +1371,7 @@ one_one_mapping(const char *mapping) + + if (VALID_STRING(mapping)) { + int n = 0; +- while (mapping[n] != '\0') { ++ while (mapping[n] != '\0' && mapping[n + 1] != '\0') { + if (isLine(mapping[n]) && + mapping[n] != mapping[n + 1]) { + result = FALSE; diff -Nru ncurses-6.1+20181013/debian/patches/fix-tic-infloop.diff ncurses-6.1+20181013/debian/patches/fix-tic-infloop.diff --- ncurses-6.1+20181013/debian/patches/fix-tic-infloop.diff 1970-01-01 01:00:00.000000000 +0100 +++ ncurses-6.1+20181013/debian/patches/fix-tic-infloop.diff 2019-11-02 17:31:13.000000000 +0100 @@ -0,0 +1,30 @@ +Author: Sven Joachim <svenjoac@gmx.de> +Description: Fix an infinite loop in tic on invalid input + Modify tic to exit if it cannot remove a conflicting name, because + treating that as a partial success can cause an infinite loop in + use-resolution. + . + Fix cherry-picked from upstream patchlevel 20191019. +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00050.html +Forwarded: not-needed +Last-Update: 2019-11-02 + +--- + ncurses/tinfo/comp_parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/ncurses/tinfo/comp_parse.c ++++ b/ncurses/tinfo/comp_parse.c +@@ -180,11 +180,11 @@ remove_collision(char *n1, char *n2) + ++qend; + while ((*qstart++ = *qend++) != '\0') ; + fprintf(stderr, "...now\t%s\n", p2); ++ removed = TRUE; + } else { + fprintf(stderr, "Cannot remove alias '%.*s'\n", + (int) (qend - qstart), qstart); + } +- removed = TRUE; + break; + } + } diff -Nru ncurses-6.1+20181013/debian/patches/fix-write_it.diff ncurses-6.1+20181013/debian/patches/fix-write_it.diff --- ncurses-6.1+20181013/debian/patches/fix-write_it.diff 1970-01-01 01:00:00.000000000 +0100 +++ ncurses-6.1+20181013/debian/patches/fix-write_it.diff 2019-11-02 17:24:47.000000000 +0100 @@ -0,0 +1,23 @@ +Author: Sven Joachim <svenjoac@gmx.de> +Description: Check for missing character after backslash in write_it + Fix cherry-picked from upstream patchlevel 20191015. +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00046.html +Forwarded: not-needed +Last-Update: 2019-11-02 + +--- + progs/tic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/progs/tic.c ++++ b/progs/tic.c +@@ -217,7 +217,8 @@ write_it(ENTRY * ep) + while ((ch = *t++) != 0) { + *d++ = (char) ch; + if (ch == '\\') { +- *d++ = *t++; ++ if ((*d++ = *t++) == '\0') ++ break; + } else if ((ch == '%') + && (*t == L_BRACE)) { + char *v = 0; diff -Nru ncurses-6.1+20181013/debian/patches/series ncurses-6.1+20181013/debian/patches/series --- ncurses-6.1+20181013/debian/patches/series 2019-08-04 11:15:46.000000000 +0200 +++ ncurses-6.1+20181013/debian/patches/series 2019-11-02 17:31:13.000000000 +0100 @@ -1,3 +1,7 @@ 01-debian-no-ada-doc.diff 02-debian-backspace.diff 03-debian-ncursesconfig-omit-L.diff +CVE-2019-17594.diff +CVE-2019-17595.diff +fix-write_it.diff +fix-tic-infloop.diffAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 931766-done@bugs.debian.org, 932900-done@bugs.debian.org, 935250-done@bugs.debian.org, 935252-done@bugs.debian.org, 935392-done@bugs.debian.org, 939015-done@bugs.debian.org, 939166-done@bugs.debian.org, 939313-done@bugs.debian.org, 939354-done@bugs.debian.org, 939432-done@bugs.debian.org, 939446-done@bugs.debian.org, 939526-done@bugs.debian.org, 939738-done@bugs.debian.org, 939757-done@bugs.debian.org, 939831-done@bugs.debian.org, 939890-done@bugs.debian.org, 939965-done@bugs.debian.org, 940112-done@bugs.debian.org, 940170-done@bugs.debian.org, 940245-done@bugs.debian.org, 940476-done@bugs.debian.org, 940521-done@bugs.debian.org, 940548-done@bugs.debian.org, 940685-done@bugs.debian.org, 940686-done@bugs.debian.org, 940818-done@bugs.debian.org, 940943-done@bugs.debian.org, 941168-done@bugs.debian.org, 941227-done@bugs.debian.org, 941348-done@bugs.debian.org, 941451-done@bugs.debian.org, 941468-done@bugs.debian.org, 941683-done@bugs.debian.org, 941738-done@bugs.debian.org, 942044-done@bugs.debian.org, 942075-done@bugs.debian.org, 942177-done@bugs.debian.org, 942209-done@bugs.debian.org, 942253-done@bugs.debian.org, 942349-done@bugs.debian.org, 942356-done@bugs.debian.org, 942446-done@bugs.debian.org, 942486-done@bugs.debian.org, 942524-done@bugs.debian.org, 942827-done@bugs.debian.org, 943339-done@bugs.debian.org, 943364-done@bugs.debian.org, 943594-done@bugs.debian.org, 943605-done@bugs.debian.org, 943667-done@bugs.debian.org, 943766-done@bugs.debian.org, 943846-done@bugs.debian.org, 943882-done@bugs.debian.org, 944002-done@bugs.debian.org, 944009-done@bugs.debian.org, 944064-done@bugs.debian.org, 944119-done@bugs.debian.org, 944133-done@bugs.debian.org, 944238-done@bugs.debian.org, 944252-done@bugs.debian.org, 944374-done@bugs.debian.org, 944390-done@bugs.debian.org
- Subject: Closing bugs for 10.2 point release fixes
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 16 Nov 2019 10:08:47 +0000
- Message-id: <83c9ffab6f08361485f70dda4733a7a24aeec09b.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.2 Hi, The fixes referenced by these bugs were included in today's 10.2 stable point release. Regards, Adam
--- End Message ---