Discussion:
Bug#944009: buster-pu: package ncurses/6.1+20181013-2+deb10u2
Add Reply
Sven Joachim
2019-11-02 19:20:01 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
Tags: buster d-i
User: ***@packages.debian.org
Usertags: pu

I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, fixing
several bugs in tic's parser which have been reported last month. Two
of them are heap buffer overflows that have been assigned CVE numbers
and a Debian bug[1], two others are out-of-bound-reads and one an
infinite loop.

I have verified that the reported crashes and the infinite loop which I
could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be fixed, at
least with the submitted corrupt input files. Also, the compiled
terminfo files in ncurses-base and ncurses-term are identical to the
ones currently in buster.

This upload touches the tinfo library which is used in the installer,
however to the best of my knowledge the changed functions are only used
by tic and not by any other packages.

Thanks for your consideration.


1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401
Thomas Dickey
2019-11-02 20:10:01 UTC
Reply
Permalink
Post by Sven Joachim
Package: release.debian.org
Severity: normal
Tags: buster d-i
Usertags: pu
I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, fixing
several bugs in tic's parser which have been reported last month. Two
of them are heap buffer overflows that have been assigned CVE numbers
hmm - "overflow" is the wrong term, afaik
(all of the ones that I verified were out-of-bound-reads).
Post by Sven Joachim
and a Debian bug[1], two others are out-of-bound-reads and one an
infinite loop.
I have verified that the reported crashes and the infinite loop which I
could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be fixed, at
least with the submitted corrupt input files. Also, the compiled
terminfo files in ncurses-base and ncurses-term are identical to the
ones currently in buster.
This upload touches the tinfo library which is used in the installer,
however to the best of my knowledge the changed functions are only used
by tic and not by any other packages.
that's accurate - comp*.c are just tic.
--
Thomas E. Dickey <***@invisible-island.net>
https://invisible-island.net
ftp://ftp.invisible-island.net
Adam D. Barratt
2019-11-06 12:00:02 UTC
Reply
Permalink
Control: tags -1 + confirmed d-i
Post by Sven Joachim
I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, fixing
several bugs in tic's parser which have been reported last month. Two
of them are heap buffer overflows that have been assigned CVE numbers
and a Debian bug[1], two others are out-of-bound-reads and one an
infinite loop.
I have verified that the reported crashes and the infinite loop which I
could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be fixed, at
least with the submitted corrupt input files. Also, the compiled
terminfo files in ncurses-base and ncurses-term are identical to the
ones currently in buster.
This upload touches the tinfo library which is used in the installer,
however to the best of my knowledge the changed functions are only used
by tic and not by any other packages.
Nevertheless I'd appreciate a formal ACK there.

Regards,

Adam
Adam D. Barratt
2019-11-08 20:00:02 UTC
Reply
Permalink
Post by Adam D. Barratt
Control: tags -1 + confirmed d-i
Post by Sven Joachim
I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, fixing
several bugs in tic's parser which have been reported last
month. Two
of them are heap buffer overflows that have been assigned CVE numbers
and a Debian bug[1], two others are out-of-bound-reads and one an
infinite loop.
I have verified that the reported crashes and the infinite loop which I
could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be
fixed,
at
least with the submitted corrupt input files. Also, the compiled
terminfo files in ncurses-base and ncurses-term are identical to the
ones currently in buster.
This upload touches the tinfo library which is used in the
installer,
however to the best of my knowledge the changed functions are only used
by tic and not by any other packages.
Nevertheless I'd appreciate a formal ACK there.
Given that the window for getting fixes into the 10.2 point release
closes this weekend, feel free to upload and we'll wait for the d-i ack
before deciding whether to include it in 10.2.

Regards,

Adam
Sven Joachim
2019-11-08 21:40:01 UTC
Reply
Permalink
Post by Adam D. Barratt
Post by Adam D. Barratt
Control: tags -1 + confirmed d-i
Post by Sven Joachim
I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, fixing
several bugs in tic's parser which have been reported last
month. Two
of them are heap buffer overflows that have been assigned CVE numbers
and a Debian bug[1], two others are out-of-bound-reads and one an
infinite loop.
I have verified that the reported crashes and the infinite loop which I
could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be
fixed,
at
least with the submitted corrupt input files. Also, the compiled
terminfo files in ncurses-base and ncurses-term are identical to the
ones currently in buster.
This upload touches the tinfo library which is used in the
installer,
however to the best of my knowledge the changed functions are only used
by tic and not by any other packages.
Nevertheless I'd appreciate a formal ACK there.
Given that the window for getting fixes into the 10.2 point release
closes this weekend, feel free to upload and we'll wait for the d-i ack
before deciding whether to include it in 10.2.
Thanks, uploaded.

Cheers,
Sven
Cyril Brulebois
2019-11-09 18:00:01 UTC
Reply
Permalink
Hi,
Post by Adam D. Barratt
Control: tags -1 + confirmed d-i
Post by Sven Joachim
I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, fixing
several bugs in tic's parser which have been reported last month. Two
of them are heap buffer overflows that have been assigned CVE numbers
and a Debian bug[1], two others are out-of-bound-reads and one an
infinite loop.
I have verified that the reported crashes and the infinite loop which I
could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be fixed, at
least with the submitted corrupt input files. Also, the compiled
terminfo files in ncurses-base and ncurses-term are identical to the
ones currently in buster.
This upload touches the tinfo library which is used in the installer,
however to the best of my knowledge the changed functions are only used
by tic and not by any other packages.
Nevertheless I'd appreciate a formal ACK there.
I have spent time trying to get d-i tested using netboot and netboot/gtk
mini.iso images built against the 3 packages available on coccia :

glib2.0_2.58.3-2+deb10u2.dsc
ncurses_6.1+20181013-2+deb10u2.dsc
systemd_241-7~deb10u2.dsc

And all use cases ran fine (4 × netboot-gtk and 1 × netboot — new).
FTAOD, the netboot (text-based) use case is only about French only;
at some point I should implement RTL tests for both graphical and
text-based installers, but time is still a scarce resource.


Anyway: I'm fine with letting all three packages get accepted into pu,
even if I didn't dive into the ncurses patches.


Cheers,
--
Cyril Brulebois (***@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Adam D Barratt
2019-11-09 20:10:02 UTC
Reply
Permalink
package release.debian.org
tags 944009 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==============

Package: ncurses
Version: 6.1+20181013-2+deb10u2

Explanation: fix several security issues [CVE-2019-17594 CVE-2019-17595] and other issues in tic
Loading...