On 2019-11-08 19:52 +0000, Adam D. Barratt wrote: > On Wed, 2019-11-06 at 11:54 +0000, Adam D. Barratt wrote: >> Control: tags -1 + confirmed d-i >> >> On 2019-11-02 19:10, Sven Joachim wrote: >> > I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, >> > fixing >> > several bugs in tic's parser which have been reported last >> > month. Two >> > of them are heap buffer overflows that have been assigned CVE >> > numbers >> > and a Debian bug[1], two others are out-of-bound-reads and one an >> > infinite loop. >> > >> > I have verified that the reported crashes and the infinite loop >> > which I >> > could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be >> > fixed, >> > at >> > least with the submitted corrupt input files. Also, the compiled >> > terminfo files in ncurses-base and ncurses-term are identical to >> > the >> > ones currently in buster. >> > >> > This upload touches the tinfo library which is used in the >> > installer, >> > however to the best of my knowledge the changed functions are only >> > used >> > by tic and not by any other packages. >> >> Nevertheless I'd appreciate a formal ACK there. > > Given that the window for getting fixes into the 10.2 point release > closes this weekend, feel free to upload and we'll wait for the d-i ack > before deciding whether to include it in 10.2.
Thanks, uploaded. Cheers, Sven