Bug#873746: marked as done (ncurses: CVE-2017-13733)

[Debian Bug Tracking System]

Your message dated Sun, 03 Sep 2017 17:56:21 +0000
with message-id <e1doz89-000fmp...@fasolo.debian.org>
and subject line Bug#873746: fixed in ncurses 6.0+20170902-1
has caused the Debian Bug report #873746,
regarding ncurses: CVE-2017-13733
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
873746: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873746
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: ncurses
X-Debbugs-CC: t...@security.debian.org 
secure-testing-t...@lists.alioth.debian.org
Severity: important
Tags: security

Hi,

the following vulnerabilities were published for ncurses.

CVE-2017-13728[0]:
| There is an infinite loop in the next_char function in comp_scan.c in
| ncurses 6.0, related to libtic. A crafted input will lead to a remote
| denial of service attack.

CVE-2017-13729[1]:
| There is an illegal address access in the _nc_save_str function in
| alloc_entry.c in ncurses 6.0. It will lead to a remote denial of
| service attack.

CVE-2017-13730[2]:
| There is an illegal address access in the function
| _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead
| to a remote denial of service attack.

CVE-2017-13731[3]:
| There is an illegal address access in the function
| postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to
| a remote denial of service attack.

CVE-2017-13732[4]:
| There is an illegal address access in the function dump_uses() in
| progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of
| service attack.

CVE-2017-13733[5]:
| There is an illegal address access in the fmt_entry function in
| progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of
| service attack.

CVE-2017-13734[6]:
| There is an illegal address access in the _nc_safe_strcat function in
| strings.c in ncurses 6.0 that will lead to a remote denial of service
| attack.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-13728
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728
[1] https://security-tracker.debian.org/tracker/CVE-2017-13729
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729
[2] https://security-tracker.debian.org/tracker/CVE-2017-13730
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730
[3] https://security-tracker.debian.org/tracker/CVE-2017-13731
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731
[4] https://security-tracker.debian.org/tracker/CVE-2017-13732
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732
[5] https://security-tracker.debian.org/tracker/CVE-2017-13733
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733
[6] https://security-tracker.debian.org/tracker/CVE-2017-13734
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734

Please adjust the affected versions in the BTS as needed.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

--- End Message ---

--- Begin Message ---

Source: ncurses
Source-Version: 6.0+20170902-1

We believe that the bug you reported is fixed in the latest version of
ncurses, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Joachim <svenj...@gmx.de> (supplier of updated ncurses package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Sep 2017 19:25:01 +0200
Source: ncurses
Binary: libtinfo5 libtinfo5-udeb libncurses5 libtinfo-dev libtinfo5-dbg 
libncurses5-dev libncurses5-dbg libncursesw5 libncursesw5-dev libncursesw5-dbg 
lib64ncurses5 lib64ncurses5-dev lib32ncurses5 lib32ncurses5-dev lib32ncursesw5 
lib32ncursesw5-dev lib64tinfo5 lib32tinfo5 lib32tinfo-dev ncurses-bin 
ncurses-base ncurses-term ncurses-examples ncurses-doc
Architecture: source
Version: 6.0+20170902-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Sven Joachim <svenj...@gmx.de>
Description:
 lib32ncurses5 - shared libraries for terminal handling (32-bit)
 lib32ncurses5-dev - developer's libraries for ncurses (32-bit)
 lib32ncursesw5 - shared libraries for terminal handling (wide character 
support) (
 lib32ncursesw5-dev - developer's libraries for ncursesw (32-bit)
 lib32tinfo-dev - developer's library for the low-level terminfo library 
(32-bit)
 lib32tinfo5 - shared low-level terminfo library for terminal handling (32-bit)
 lib64ncurses5 - shared libraries for terminal handling (64-bit)
 lib64ncurses5-dev - developer's libraries for ncurses (64-bit)
 lib64tinfo5 - shared low-level terminfo library for terminal handling (64-bit)
 libncurses5 - shared libraries for terminal handling
 libncurses5-dbg - debugging/profiling libraries for ncurses
 libncurses5-dev - developer's libraries for ncurses
 libncursesw5 - shared libraries for terminal handling (wide character support)
 libncursesw5-dbg - debugging/profiling libraries for ncursesw
 libncursesw5-dev - developer's libraries for ncursesw
 libtinfo-dev - developer's library for the low-level terminfo library
 libtinfo5  - shared low-level terminfo library for terminal handling
 libtinfo5-dbg - debugging/profiling library for the low-level terminfo library
 libtinfo5-udeb - shared low-level terminfo library for terminal handling - 
udeb (udeb)
 ncurses-base - basic terminal type definitions
 ncurses-bin - terminal-related programs and man pages
 ncurses-doc - developer's guide and documentation for ncurses
 ncurses-examples - test programs and examples for ncurses
 ncurses-term - additional terminal type definitions
Closes: 873746
Changes:
 ncurses (6.0+20170902-1) unstable; urgency=medium
 .
   * New upstream patchlevel.
     - Modify check in fmt_entry() to handle a cancelled reset string
       (CVE-2017-13733, Closes: #873746).
Checksums-Sha1:
 99dca235e67fd0e8835759205a5415e5a43ba02c 4021 ncurses_6.0+20170902-1.dsc
 91f80a80fd7c650b46fc9a75cb92e474d17090b9 3322744 
ncurses_6.0+20170902.orig.tar.gz
 6ac960f5b18709e38fdb437f8f6637fc433da340 267 
ncurses_6.0+20170902.orig.tar.gz.asc
 9994e440bcdd616d1bceb7b7f964fb1755bd4920 53496 
ncurses_6.0+20170902-1.debian.tar.xz
 69d7bddc0bf1d48d92e6d674f775b4dfe1a212aa 7384 
ncurses_6.0+20170902-1_source.buildinfo
Checksums-Sha256:
 6d57899b77e12869ef69d953c7b0af978a46091899401196cd2437c5825d27f4 4021 
ncurses_6.0+20170902-1.dsc
 2437043fe3bb6a0deebe758a9744ee8e9d2e0b272ae2cb0d978804f2f5237ab2 3322744 
ncurses_6.0+20170902.orig.tar.gz
 10a8ea1bca1f94f7c0a95b2789352a4d279802065400d7a680591100ab75469c 267 
ncurses_6.0+20170902.orig.tar.gz.asc
 b8bd83ec458ab21bb038addc846297206ad9f636e3a8eb7cbab5c5879071dcb2 53496 
ncurses_6.0+20170902-1.debian.tar.xz
 92df145581d9028c9c9eb4ed6502cb179a91fe8622c5700a53f7ea009316a172 7384 
ncurses_6.0+20170902-1_source.buildinfo
Files:
 07ac790be7a0755dc7eaf6324d95afde 4021 libs required ncurses_6.0+20170902-1.dsc
 b7b1cedc484172434855b00831183458 3322744 libs required 
ncurses_6.0+20170902.orig.tar.gz
 f531c226fba3522e04d29a0fdc0c2778 267 libs required 
ncurses_6.0+20170902.orig.tar.gz.asc
 c0576ac706a0fb077d50dfdd0ff80fb8 53496 libs required 
ncurses_6.0+20170902-1.debian.tar.xz
 cdead70f29bcb583d4678761a6435166 7384 libs required 
ncurses_6.0+20170902-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAlmsO5wACgkQOxBucY1r
MazIZBAA4P4r3A/lFmahpKdXT597HtiBabpR/nV0TwdyuwtXp+GHaVCavvYCHakG
Gv9aW0IZonZ4/9gXv9XqXag6BRTGthggTE3O5xlspYJCE+Tj5WE26htKiK5O3tMZ
m6Xv9sT40aAJ49OQTYSAgBnMij6Urdm2jMD5JjXxBIYGCRYEpCk7EJDsu324F4QU
LrDmhZbhk1ffCO7yqiigxut4jLIL+3RYARx9boWmAIvVu5H73/ZpmDRV/L+m+nzP
H17ok5GcrXbGFcrwdcB3iiZOVRTYi39/qIO4YGJgSuOGXn8AD9QGsTi/7TKFUXEE
cFFLJ3dmwmMr1+EICW6qvlsOvg/4H+cv3UTcrKVQH0hlRDebxibC2lvTo/3x23a0
dhPbl631mexGNkPopngaG0DY8Hlr6Znx9FoYlCFs01WFyE7pybLQUoPa5mhkDrEz
0BrfOl4v3KludVp0CNB3ATfWePcI6kFcgw4KR/b4cTD9kXBea/bqvg8fYTfDKsLK
NUd2UuyQjkkdPfjMAe5kEuXwvV0L+XP8FqIE30e94lspsv9Bc4nd37e+3sP3Mnp2
mhOtU/Mhy1cnOIWFVFOg5nJNLoLF+ZNIHRrebJl+nrEiqP/esgCuUUmSZ6gGqAQl
9iGgsZ2XgEEaWnG4bYMywrMZb335PsUJJvRq3GtNMi28K9AgeUE=
=BBAj
-----END PGP SIGNATURE-----

--- End Message ---