Your message dated Wed, 14 Feb 2018 21:17:25 +0000
with message-id <e1em4qf-000eek...@fasolo.debian.org>
and subject line Bug#882620: fixed in ncurses 6.0+20161126-1+deb9u2
has caused the Debian Bug report #882620,
regarding [CVE-2017-16879] ncurses: Stack-based buffer overflow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882620: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882620
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ncurses
X-Debbugs-CC: t...@security.debian.org
secure-testing-t...@lists.alioth.debian.org
Severity: grave
Tags: security

Hi,

the following vulnerability was published for ncurses.

CVE-2017-16879[0]:
| Stack-based buffer overflow in the _nc_write_entry function in
| tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial
| of service (application crash) or possibly execute arbitrary code via
| a crafted terminfo file, as demonstrated by tic.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.


I checked the PoC from [1] and looks like working in every supported
Debian distro at the moment.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16879
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16879
[1] https://packetstormsecurity.com/files/download/145045/tic-overflow.tgz

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message ---
Source: ncurses
Source-Version: 6.0+20161126-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
ncurses, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Joachim <svenj...@gmx.de> (supplier of updated ncurses package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Dec 2017 10:47:33 +0100
Source: ncurses
Binary: libtinfo5 libtinfo5-udeb libncurses5 libtinfo-dev libtinfo5-dbg 
libncurses5-dev libncurses5-dbg libncursesw5 libncursesw5-dev libncursesw5-dbg 
lib64ncurses5 lib64ncurses5-dev lib32ncurses5 lib32ncurses5-dev lib32ncursesw5 
lib32ncursesw5-dev lib64tinfo5 lib32tinfo5 lib32tinfo-dev ncurses-bin 
ncurses-base ncurses-term ncurses-examples ncurses-doc
Architecture: source
Version: 6.0+20161126-1+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Sven Joachim <svenj...@gmx.de>
Description:
 lib32ncurses5 - shared libraries for terminal handling (32-bit)
 lib32ncurses5-dev - developer's libraries for ncurses (32-bit)
 lib32ncursesw5 - shared libraries for terminal handling (wide character 
support) (
 lib32ncursesw5-dev - developer's libraries for ncursesw (32-bit)
 lib32tinfo-dev - developer's library for the low-level terminfo library 
(32-bit)
 lib32tinfo5 - shared low-level terminfo library for terminal handling (32-bit)
 lib64ncurses5 - shared libraries for terminal handling (64-bit)
 lib64ncurses5-dev - developer's libraries for ncurses (64-bit)
 lib64tinfo5 - shared low-level terminfo library for terminal handling (64-bit)
 libncurses5 - shared libraries for terminal handling
 libncurses5-dbg - debugging/profiling libraries for ncurses
 libncurses5-dev - developer's libraries for ncurses
 libncursesw5 - shared libraries for terminal handling (wide character support)
 libncursesw5-dbg - debugging/profiling libraries for ncursesw
 libncursesw5-dev - developer's libraries for ncursesw
 libtinfo-dev - developer's library for the low-level terminfo library
 libtinfo5  - shared low-level terminfo library for terminal handling
 libtinfo5-dbg - debugging/profiling library for the low-level terminfo library
 libtinfo5-udeb - shared low-level terminfo library for terminal handling - 
udeb (udeb)
 ncurses-base - basic terminal type definitions
 ncurses-bin - terminal-related programs and man pages
 ncurses-doc - developer's guide and documentation for ncurses
 ncurses-examples - test programs and examples for ncurses
 ncurses-term - additional terminal type definitions
Closes: 882620
Changes:
 ncurses (6.0+20161126-1+deb9u2) stretch; urgency=medium
 .
   * Cherry-pick upstream fix from the 20171125 patchlevel to fix
     a buffer overflow in the _nc_write_entry function
     (CVE-2017-16879, Closes: #882620).
Checksums-Sha1:
 006f9876718a6a8081843fd99e36d09a66d6f335 3784 ncurses_6.0+20161126-1+deb9u2.dsc
 80fd31f9b95153dbe1d8c3e5f92f6401dd3ed5e7 59324 
ncurses_6.0+20161126-1+deb9u2.debian.tar.xz
 8035d57fd29b8e96926a129d5a00e8b12417b772 7457 
ncurses_6.0+20161126-1+deb9u2_source.buildinfo
Checksums-Sha256:
 8cd721a065bea8275bf8daae9f01018b5fa2e9e020ac7c09fb61220804c9b9f5 3784 
ncurses_6.0+20161126-1+deb9u2.dsc
 04e6b5acf08d730c34f200ddb92144465ec346c0a3c1c2b9cbcd72ed9ddab1e7 59324 
ncurses_6.0+20161126-1+deb9u2.debian.tar.xz
 2280d8666ace3319a2013211d1aeac1924fb0021e42a620666df81272aa73fe0 7457 
ncurses_6.0+20161126-1+deb9u2_source.buildinfo
Files:
 ecc121dbddf0c4a19e76de26b94f714b 3784 libs required 
ncurses_6.0+20161126-1+deb9u2.dsc
 b02869572bbe0c8415da8efdc0b47385 59324 libs required 
ncurses_6.0+20161126-1+deb9u2.debian.tar.xz
 4ff8495be9a005c725862a90633342ef 7457 libs required 
ncurses_6.0+20161126-1+deb9u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAlqAB4UACgkQOxBucY1r
Maz+MBAArY7bZZRH52p5b42nn2qH1i0mB+ApT9z1JtUs/TWyq08zyYKDhOzfMQQb
c1iaY0tnNWrLuiMNnPrd189IkjSrNJSNrAVuxMHB0blxUSWSSXadGX0oZEInWNIF
0KSVPFi01MjpCDi1kVdhomDtz1XVFtzxSWrrMqQju/PKw9GiK7tCrGKrR7jec9UG
532Tz29coMvfE2PDSSZRQKdYLnlBa5MH8lSxqp87xJ03kP0AJlgXvi+PGkQqUcIe
7g0aYtGxgXDfY4R+/dDXw+P677pznOJAUUsOGSKTsbtQT0WST1seP5bk0iv+WS0y
YAInBQJy2Pcq8r+lfrlG7ZftMUWQ9VV6MAMhz4B8KsTLuB2Czo+KcvDtanBjT33U
fWNV3hKPcGnf5JP3ZtfWBYiJgtb4d8zFTsVMySDYISjU2p/m+t84A4FMsurqCqA9
4j56C3X3s0dBU+bdAzwPzPN9OhHiaJZ+sNDySoJbr5qDvL5UfiklKlipL535O26t
1ys2LiONr0p2qYeP7zN7/jXRcYsQxigjFmWF9fvNv/SYCgcWc7WY2+AQgyQZncUk
UGzO+exiOGuYORLwdj3ROAUrm9HjBGyhwpmt60v/EQa4oOVmVyNRro7QxM8KuDzY
lWg1BDcUKY5Vfv5zd1p3HY3r9R2QBPlJx1NpM01seJxl2lMDf5M=
=Viki
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to