Your message dated Thu, 28 Sep 2017 05:47:12 +0000
with message-id <[email protected]>
and subject line Bug#873746: fixed in ncurses 6.0+20161126-1+deb9u1
has caused the Debian Bug report #873746,
regarding ncurses: CVE-2017-13733
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
873746: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873746
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ncurses
X-Debbugs-CC: [email protected]
[email protected]
Severity: important
Tags: security
Hi,
the following vulnerabilities were published for ncurses.
CVE-2017-13728[0]:
| There is an infinite loop in the next_char function in comp_scan.c in
| ncurses 6.0, related to libtic. A crafted input will lead to a remote
| denial of service attack.
CVE-2017-13729[1]:
| There is an illegal address access in the _nc_save_str function in
| alloc_entry.c in ncurses 6.0. It will lead to a remote denial of
| service attack.
CVE-2017-13730[2]:
| There is an illegal address access in the function
| _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead
| to a remote denial of service attack.
CVE-2017-13731[3]:
| There is an illegal address access in the function
| postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to
| a remote denial of service attack.
CVE-2017-13732[4]:
| There is an illegal address access in the function dump_uses() in
| progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of
| service attack.
CVE-2017-13733[5]:
| There is an illegal address access in the fmt_entry function in
| progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of
| service attack.
CVE-2017-13734[6]:
| There is an illegal address access in the _nc_safe_strcat function in
| strings.c in ncurses 6.0 that will lead to a remote denial of service
| attack.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-13728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728
[1] https://security-tracker.debian.org/tracker/CVE-2017-13729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729
[2] https://security-tracker.debian.org/tracker/CVE-2017-13730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730
[3] https://security-tracker.debian.org/tracker/CVE-2017-13731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731
[4] https://security-tracker.debian.org/tracker/CVE-2017-13732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732
[5] https://security-tracker.debian.org/tracker/CVE-2017-13733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733
[6] https://security-tracker.debian.org/tracker/CVE-2017-13734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734
Please adjust the affected versions in the BTS as needed.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---
Source: ncurses
Source-Version: 6.0+20161126-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
ncurses, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sven Joachim <[email protected]> (supplier of updated ncurses package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Sep 2017 19:05:43 +0200
Source: ncurses
Binary: libtinfo5 libtinfo5-udeb libncurses5 libtinfo-dev libtinfo5-dbg
libncurses5-dev libncurses5-dbg libncursesw5 libncursesw5-dev libncursesw5-dbg
lib64ncurses5 lib64ncurses5-dev lib32ncurses5 lib32ncurses5-dev lib32ncursesw5
lib32ncursesw5-dev lib64tinfo5 lib32tinfo5 lib32tinfo-dev ncurses-bin
ncurses-base ncurses-term ncurses-examples ncurses-doc
Architecture: source
Version: 6.0+20161126-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Craig Small <[email protected]>
Changed-By: Sven Joachim <[email protected]>
Description:
lib32ncurses5 - shared libraries for terminal handling (32-bit)
lib32ncurses5-dev - developer's libraries for ncurses (32-bit)
lib32ncursesw5 - shared libraries for terminal handling (wide character
support) (
lib32ncursesw5-dev - developer's libraries for ncursesw (32-bit)
lib32tinfo-dev - developer's library for the low-level terminfo library
(32-bit)
lib32tinfo5 - shared low-level terminfo library for terminal handling (32-bit)
lib64ncurses5 - shared libraries for terminal handling (64-bit)
lib64ncurses5-dev - developer's libraries for ncurses (64-bit)
lib64tinfo5 - shared low-level terminfo library for terminal handling (64-bit)
libncurses5 - shared libraries for terminal handling
libncurses5-dbg - debugging/profiling libraries for ncurses
libncurses5-dev - developer's libraries for ncurses
libncursesw5 - shared libraries for terminal handling (wide character support)
libncursesw5-dbg - debugging/profiling libraries for ncursesw
libncursesw5-dev - developer's libraries for ncursesw
libtinfo-dev - developer's library for the low-level terminfo library
libtinfo5 - shared low-level terminfo library for terminal handling
libtinfo5-dbg - debugging/profiling library for the low-level terminfo library
libtinfo5-udeb - shared low-level terminfo library for terminal handling -
udeb (udeb)
ncurses-base - basic terminal type definitions
ncurses-bin - terminal-related programs and man pages
ncurses-doc - developer's guide and documentation for ncurses
ncurses-examples - test programs and examples for ncurses
ncurses-term - additional terminal type definitions
Closes: 873723 873746
Changes:
ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium
.
* Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels
for various crash bugs in the tic library and the tic binary
(CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113).
* Backport termcap-format fix from the 20170715 patchlevel, repairing a
regression from the above security fixes (see #868266).
* Cherry-pick upstream fixes from the 20170826 patchlevel for more
crash bugs in the tic library (CVE-2017-13728, CVE-2017-13729,
CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734,
Closes: #873723).
* Cherry-pick upstream fixes from the 20170902 patchlevel to fix
another crash bug in the tic program (CVE-2017-13733, Closes: #873746).
Checksums-Sha1:
02f602e8b2256abdf933cca4c0d52e5541be94a1 3784 ncurses_6.0+20161126-1+deb9u1.dsc
67ed130efd13ad4006b3485024d53e089f213f6b 58888
ncurses_6.0+20161126-1+deb9u1.debian.tar.xz
f0a9cb4e590c14940eeeaeeb4017249514f36e39 6468
ncurses_6.0+20161126-1+deb9u1_source.buildinfo
Checksums-Sha256:
aa957f0ad03a52869ff2e5b80658a9ed3377621594d367eba24816216c709c7b 3784
ncurses_6.0+20161126-1+deb9u1.dsc
f6bc08abcdc3b31f50dcdb622c0bfa060d01508653cf7c16a47014ad70375faf 58888
ncurses_6.0+20161126-1+deb9u1.debian.tar.xz
ecfa982990a5c0831ceededd4a5943fa201f88e03c5b3b32155c18d93d8972a1 6468
ncurses_6.0+20161126-1+deb9u1_source.buildinfo
Files:
215ffa6fc1215b532628411e6c632bf1 3784 libs required
ncurses_6.0+20161126-1+deb9u1.dsc
c97a6baa83653bb7f08482601f5ae688 58888 libs required
ncurses_6.0+20161126-1+deb9u1.debian.tar.xz
3fabb6892d6447a55ba83ce8f1efedfa 6468 libs required
ncurses_6.0+20161126-1+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAlnHUlkACgkQOxBucY1r
May6sw//cpr5peelChCDUlQaF0h0j+hHhy6uGsDDmwHvrTvbib0HGWiOAl7Ceqo8
I3VQGzjrSlRTdZDR06O7ynUNnGvF0YIgTatNQodBtMWF1rMO9dh/649rkYATFCs9
KpO/xS56oseyZupzVhdtjcSE/d1LAPkmnG+6c1lYqISpRtTZqKDEYNVD/hDvEN9z
Vjc3rgEuAGy2R8OaW41Jo7u7kRibqnBYeWmNMJ+rHpDwb1L/KXvEwlJhb/4kvTUC
ddGXojlByBN5UPlB7Fr6/tZYCxivE82irf6PyzEm5A5X37xMWP/fFd2BPYBsdt3t
+EcdTAdK/zbccQol97LPde8kyPFLpyTD14ZhuUa3W1mXyPpbAVhSA4xym4huqrq4
Vq7u0qfL0iR0DFJc6w3kGbjjOhjE00dj28qCttujS7HUWU98PjYTxyXjGV6Oor3R
yNcdKSwa0+yeRQkrWc9wF9kXULVZzysnl06FDMEDLzGB+eVvR59H1i42hGIFaNOC
nEIG7TOrveANJrI4YspLJnY6DximeCVsv58JUzBeBuyoW3dkpHrE+G5eJvAGflE1
YY20Py9If9Hwne+AGCeKxjC7BjXsW0R3vFem2L8f+qAWN6IKQsEYgaKfTnbOCqTs
24tru4ME2FBk6WpNWUhME4cbaeuknjQnlB5iEgydNsx6nMKzxXQ=
=8zGN
-----END PGP SIGNATURE-----
--- End Message ---
