Your message dated Thu, 24 Oct 2019 16:50:01 +0000
with message-id <[email protected]>
and subject line Bug#942401: fixed in ncurses 6.1+20191019-1
has caused the Debian Bug report #942401,
regarding ncurses: CVE-2019-17594 CVE-2019-17595
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
942401: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ncurses
Version: 6.1+20190803-1
Severity: important
Tags: security upstream
Hi,
The following vulnerabilities were published for ncurses.
CVE-2019-17594[0]:
| There is a heap-based buffer over-read in the _nc_find_entry function
| in tinfo/comp_hash.c in the terminfo library in ncurses before
| 6.1-20191012.
CVE-2019-17595[1]:
| There is a heap-based buffer over-read in the fmt_entry function in
| tinfo/comp_hash.c in the terminfo library in ncurses before
| 6.1-20191012.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-17594
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594
https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html
[1] https://security-tracker.debian.org/tracker/CVE-2019-17595
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595
https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ncurses
Source-Version: 6.1+20191019-1
We believe that the bug you reported is fixed in the latest version of
ncurses, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sven Joachim <[email protected]> (supplier of updated ncurses package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 24 Oct 2019 18:18:57 +0200
Source: ncurses
Architecture: source
Version: 6.1+20191019-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <[email protected]>
Changed-By: Sven Joachim <[email protected]>
Closes: 933386 942401
Changes:
ncurses (6.1+20191019-1) unstable; urgency=medium
.
* New upstream patchlevel.
- Fix several errata in tic (Closes: #942401).
+ Check for invalid hashcode in _nc_find_type_entry
and nc_find_name_entry (CVE-2019-17594).
+ Check for invalid hashcode in _nc_find_entry.
+ Check for missing character after backslash in fmt_entry
(CVE-2019-17595).
* Refresh patch 03-debian-ncursesconfig-omit-L.diff.
* Support additional build profiles:
- Skip building ABI 5 libraries in a pkg.ncurses.nolegacy build profile.
- Skip building the examples in a pkg.ncurses.noexamples build profile.
- Do not build libtinfo6-udeb in the noudeb build profile.
* Add a "Replaces: alacritty (<< 0.3.4~)" to ncurses-term
(Closes: #933386).
* Add a Salsa CI pipeline in debian/gitlab-ci.yml.
* Export BUILD_{C,CPP,LD}FLAGS in debian/rules, making blhc happy.
* Upgrade Standards-Version to 4.4.1, no changes needed.
Checksums-Sha1:
21f73f65f0e9fe0d59ef2f8b2e6d64d7c9210847 4106 ncurses_6.1+20191019-1.dsc
b2fb9a457a15dc3fad689d4b64fb0b466fef6624 3463374
ncurses_6.1+20191019.orig.tar.gz
210dbac6ee2cdf5c41b92a88c06dbfb278be061e 265
ncurses_6.1+20191019.orig.tar.gz.asc
2f6e18265402d5a5ddcb7a22fdba7f157229bee4 61096
ncurses_6.1+20191019-1.debian.tar.xz
adbd4fdb71bbfc9ca197b85cdbc37454621e475e 6487
ncurses_6.1+20191019-1_source.buildinfo
Checksums-Sha256:
84153ab02140a0caf6755b593b149dda32a5120d264cc9c2a31b61edf20256f2 4106
ncurses_6.1+20191019-1.dsc
b42ca297f1823c1b1f2baaf46da5a61f690dc857600c7eb95d02432bd9905d3a 3463374
ncurses_6.1+20191019.orig.tar.gz
670ab32ca07bf61d08d62731b1beef62194f684761bb73b2de1143949b0e88b6 265
ncurses_6.1+20191019.orig.tar.gz.asc
a650c2a0e3c2fe8ddeb63ce6387aa411edfc0cff0220df210cff43f60781d10f 61096
ncurses_6.1+20191019-1.debian.tar.xz
8b104ddad256762e244f31413975c60a6b64dea8705b4723fab7ca7cead22ba5 6487
ncurses_6.1+20191019-1_source.buildinfo
Files:
217bd21e7c6cabde92a6050e662469e1 4106 libs required ncurses_6.1+20191019-1.dsc
6d76193577b6e870de1a5357d24a48e7 3463374 libs required
ncurses_6.1+20191019.orig.tar.gz
232e4bba1881df65ca74a4aa0e17d1e5 265 libs required
ncurses_6.1+20191019.orig.tar.gz.asc
ea4a52cef467896b26f46b11d1818e12 61096 libs required
ncurses_6.1+20191019-1.debian.tar.xz
8341d9d1b61f7b5ebc13c8406f258b92 6487 libs required
ncurses_6.1+20191019-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAl2xz4sACgkQOxBucY1r
MazsbBAA3SsVAGZF6u4nw4tisWFmBEsluylByfig6JxKCdc6snfmbsfFrDDvzw3g
kM8krY0qUy463HAOaCM5Q1KIvi2PW6EubQLvtdQCeS/xX5neMl7meLEtV8PTbV7q
6e6B4DVzXwBDAXz4O08kQgo1xZHOTMtMHV3uRKlwqAhuK4ywQe2oT1Mko6c8s1bY
vrR3v3kE3KtPQGvsy+WONFbudeiu5vWhIbCZBCyax161aKfFaH8iyo+sDMfxDYJU
QTzuYAn+jG6bLrRrWRkmORgT37rq6gntaVEhylsZJb62AxLCriSpPsH21NyUpFWL
jcpBwfTnUBbZf+ND2Ii0M6NYAbn5DiepeArCROw4AXrYlxTGTKuOIJ7q+RisenBM
j+U5wC59uj252bZdLbw1o6XMAjvrpzYqS7KWkR6pubY7dN/fT+Utmn6w7kx3GDZZ
3xrZMfAaz6wefWs69HxMUt6lSssZHCjdiU+Nvca4709hrU/IU7/5HofaOaAJ+Z/h
uMohSOpKtSyoQzkqpZ8l3+CsS24g97pEWtE6tvy9GrE9QwjBnjTc5EOZneBQfS13
eG7tWTFlMw/s5YlLtpAR69a1GMdo0e6kYgurTXTP07OTcCo5Es2NjyeMcqznYuKP
8YutW7gsy7XjJVk0Wp9pKlLoT9VN0O9WFGu26Jy0MYcNEIxNq84=
=0vbY
-----END PGP SIGNATURE-----
--- End Message ---
